Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:49
Static task
static1
Behavioral task
behavioral1
Sample
473b99ecfc3b75620f6201898e1d8f74.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
473b99ecfc3b75620f6201898e1d8f74.exe
Resource
win10v20201028
General
-
Target
473b99ecfc3b75620f6201898e1d8f74.exe
-
Size
473KB
-
MD5
473b99ecfc3b75620f6201898e1d8f74
-
SHA1
d30e8402cfdd0c2bb67c9c27fbba685682861818
-
SHA256
0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
-
SHA512
45b4ef4bf7fd28543ee1f1ac738fe66daebb1cffd45f4cd357d9e6a86419da184764ef66adb854dcb985a5b5259d2de1a6c3fa67f3e3c52e8582f2fe538dbba8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2736 cmd.exe -
ServiceHost packer 15 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4048-30-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-29-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-31-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-32-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-33-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-34-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-35-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-36-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-38-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-37-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-39-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-41-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-40-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-42-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4048-43-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 4 IoCs
Processes:
wotsuper.exe1.exe2.exespoolsvc.exepid process 2552 wotsuper.exe 748 1.exe 4048 2.exe 2576 spoolsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
spoolsvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\VersionRecover = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\spoolsvc.exe" spoolsvc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
473b99ecfc3b75620f6201898e1d8f74.exedescription ioc process File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe 473b99ecfc3b75620f6201898e1d8f74.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe 473b99ecfc3b75620f6201898e1d8f74.exe File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini 473b99ecfc3b75620f6201898e1d8f74.exe -
Drops file in Windows directory 1 IoCs
Processes:
473b99ecfc3b75620f6201898e1d8f74.exedescription ioc process File opened for modification C:\Windows\wotsuper.reg 473b99ecfc3b75620f6201898e1d8f74.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 944 4048 WerFault.exe 2.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 2964 regedit.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4048 2.exe Token: SeRestorePrivilege 944 WerFault.exe Token: SeBackupPrivilege 944 WerFault.exe Token: SeDebugPrivilege 944 WerFault.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
efsui.exepid process 1544 efsui.exe 1544 efsui.exe 1544 efsui.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
efsui.exepid process 1544 efsui.exe 1544 efsui.exe 1544 efsui.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
473b99ecfc3b75620f6201898e1d8f74.exewotsuper.execmd.exedescription pid process target process PID 3408 wrote to memory of 2552 3408 473b99ecfc3b75620f6201898e1d8f74.exe wotsuper.exe PID 3408 wrote to memory of 2552 3408 473b99ecfc3b75620f6201898e1d8f74.exe wotsuper.exe PID 3408 wrote to memory of 2552 3408 473b99ecfc3b75620f6201898e1d8f74.exe wotsuper.exe PID 3408 wrote to memory of 2964 3408 473b99ecfc3b75620f6201898e1d8f74.exe regedit.exe PID 3408 wrote to memory of 2964 3408 473b99ecfc3b75620f6201898e1d8f74.exe regedit.exe PID 3408 wrote to memory of 2964 3408 473b99ecfc3b75620f6201898e1d8f74.exe regedit.exe PID 2552 wrote to memory of 748 2552 wotsuper.exe 1.exe PID 2552 wrote to memory of 748 2552 wotsuper.exe 1.exe PID 2552 wrote to memory of 748 2552 wotsuper.exe 1.exe PID 2552 wrote to memory of 4048 2552 wotsuper.exe 2.exe PID 2552 wrote to memory of 4048 2552 wotsuper.exe 2.exe PID 2552 wrote to memory of 4048 2552 wotsuper.exe 2.exe PID 3020 wrote to memory of 216 3020 cmd.exe choice.exe PID 3020 wrote to memory of 216 3020 cmd.exe choice.exe PID 3020 wrote to memory of 2576 3020 cmd.exe spoolsvc.exe PID 3020 wrote to memory of 2576 3020 cmd.exe spoolsvc.exe PID 3020 wrote to memory of 2576 3020 cmd.exe spoolsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe"C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 18484⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Runs .reg file with regedit
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.execmd /c choice /C Y /N /D Y /T 3 & del "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe" & C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 32⤵
-
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exeC:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
2ed9f34a134fc04a70618a44bd272757
SHA1448a0df4d27179cb6cac1e3e355f9abf07e10403
SHA25675869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4
SHA512d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
2ed9f34a134fc04a70618a44bd272757
SHA1448a0df4d27179cb6cac1e3e355f9abf07e10403
SHA25675869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4
SHA512d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e
-
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exeMD5
e76739b49a4f804989d54946bc7da936
SHA167f4113a3af2561ef011cffc33146dc7cb48514d
SHA256783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf
SHA5127ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exeMD5
e76739b49a4f804989d54946bc7da936
SHA167f4113a3af2561ef011cffc33146dc7cb48514d
SHA256783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf
SHA5127ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exeMD5
e76739b49a4f804989d54946bc7da936
SHA167f4113a3af2561ef011cffc33146dc7cb48514d
SHA256783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf
SHA5127ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exeMD5
4ff7dc2eafcc5f54b282c2deac99b951
SHA163edfac7d9204b3191891dd4cb64b198385bdcfd
SHA2566a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0
SHA512e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exeMD5
4ff7dc2eafcc5f54b282c2deac99b951
SHA163edfac7d9204b3191891dd4cb64b198385bdcfd
SHA2566a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0
SHA512e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091
-
memory/216-20-0x0000000000000000-mapping.dmp
-
memory/748-13-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/748-4-0x0000000000000000-mapping.dmp
-
memory/748-16-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/748-10-0x00000000720D0000-0x00000000727BE000-memory.dmpFilesize
6.9MB
-
memory/944-28-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/944-44-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/2552-0-0x0000000000000000-mapping.dmp
-
memory/2576-23-0x00000000720D0000-0x00000000727BE000-memory.dmpFilesize
6.9MB
-
memory/2576-21-0x0000000000000000-mapping.dmp
-
memory/2964-3-0x0000000000000000-mapping.dmp
-
memory/4048-33-0x0000000000000000-mapping.dmp
-
memory/4048-35-0x0000000000000000-mapping.dmp
-
memory/4048-6-0x0000000000000000-mapping.dmp
-
memory/4048-30-0x0000000000000000-mapping.dmp
-
memory/4048-29-0x0000000000000000-mapping.dmp
-
memory/4048-31-0x0000000000000000-mapping.dmp
-
memory/4048-32-0x0000000000000000-mapping.dmp
-
memory/4048-12-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/4048-34-0x0000000000000000-mapping.dmp
-
memory/4048-11-0x00000000720D0000-0x00000000727BE000-memory.dmpFilesize
6.9MB
-
memory/4048-36-0x0000000000000000-mapping.dmp
-
memory/4048-38-0x0000000000000000-mapping.dmp
-
memory/4048-37-0x0000000000000000-mapping.dmp
-
memory/4048-39-0x0000000000000000-mapping.dmp
-
memory/4048-41-0x0000000000000000-mapping.dmp
-
memory/4048-40-0x0000000000000000-mapping.dmp
-
memory/4048-42-0x0000000000000000-mapping.dmp
-
memory/4048-43-0x0000000000000000-mapping.dmp
-
memory/4048-17-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB