0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75

General

Target

473b99ecfc3b75620f6201898e1d8f74.exe
Size

473KB
MD5

473b99ecfc3b75620f6201898e1d8f74
SHA1

d30e8402cfdd0c2bb67c9c27fbba685682861818
SHA256

0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
SHA512

45b4ef4bf7fd28543ee1f1ac738fe66daebb1cffd45f4cd357d9e6a86419da184764ef66adb854dcb985a5b5259d2de1a6c3fa67f3e3c52e8582f2fe538dbba8

Score

10^/10

discovery persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2736 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2736	cmd.exe

ServiceHost packer 15 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4048-30-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-41-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4048-43-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 4 IoCs

Processes:

wotsuper.exe1.exe2.exespoolsvc.exe

pid process

2552 wotsuper.exe
748 1.exe
4048 2.exe
2576 spoolsvc.exe

pid	process
2552	wotsuper.exe
748	1.exe
4048	2.exe
2576	spoolsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\VersionRecover = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\spoolsvc.exe"	spoolsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	473b99ecfc3b75620f6201898e1d8f74.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	473b99ecfc3b75620f6201898e1d8f74.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	473b99ecfc3b75620f6201898e1d8f74.exe

Drops file in Windows directory 1 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exe

description ioc process

File opened for modification C:\Windows\wotsuper.reg 473b99ecfc3b75620f6201898e1d8f74.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

944 4048 WerFault.exe 2.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2964 regedit.exe

description	ioc	process
File opened for modification	C:\Windows\wotsuper.reg	473b99ecfc3b75620f6201898e1d8f74.exe

pid	pid_target	process	target process
944	4048	WerFault.exe	2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
2964	regedit.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4048	2.exe
Token: SeRestorePrivilege	944	WerFault.exe
Token: SeBackupPrivilege	944	WerFault.exe
Token: SeDebugPrivilege	944	WerFault.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

efsui.exe

pid process

1544 efsui.exe
1544 efsui.exe
1544 efsui.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

efsui.exe

pid process

1544 efsui.exe
1544 efsui.exe
1544 efsui.exe

pid	process
1544	efsui.exe
1544	efsui.exe
1544	efsui.exe

pid	process
1544	efsui.exe
1544	efsui.exe
1544	efsui.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

473b99ecfc3b75620f6201898e1d8f74.exewotsuper.execmd.exe

description	pid	process	target process
PID 3408 wrote to memory of 2552	3408	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 3408 wrote to memory of 2552	3408	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 3408 wrote to memory of 2552	3408	473b99ecfc3b75620f6201898e1d8f74.exe	wotsuper.exe
PID 3408 wrote to memory of 2964	3408	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 3408 wrote to memory of 2964	3408	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 3408 wrote to memory of 2964	3408	473b99ecfc3b75620f6201898e1d8f74.exe	regedit.exe
PID 2552 wrote to memory of 748	2552	wotsuper.exe	1.exe
PID 2552 wrote to memory of 748	2552	wotsuper.exe	1.exe
PID 2552 wrote to memory of 748	2552	wotsuper.exe	1.exe
PID 2552 wrote to memory of 4048	2552	wotsuper.exe	2.exe
PID 2552 wrote to memory of 4048	2552	wotsuper.exe	2.exe
PID 2552 wrote to memory of 4048	2552	wotsuper.exe	2.exe
PID 3020 wrote to memory of 216	3020	cmd.exe	choice.exe
PID 3020 wrote to memory of 216	3020	cmd.exe	choice.exe
PID 3020 wrote to memory of 2576	3020	cmd.exe	spoolsvc.exe
PID 3020 wrote to memory of 2576	3020	cmd.exe	spoolsvc.exe
PID 3020 wrote to memory of 2576	3020	cmd.exe	spoolsvc.exe

C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe
"C:\Users\Admin\AppData\Local\Temp\473b99ecfc3b75620f6201898e1d8f74.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3408

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe"
3⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1848
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
2⤵
- Runs .reg file with regedit
PID:2964

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3816

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:1000

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1544

C:\Windows\system32\cmd.exe
cmd /c choice /C Y /N /D Y /T 3 & del "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe" & C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
2⤵
PID:216

C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
2ed9f34a134fc04a70618a44bd272757

SHA1
448a0df4d27179cb6cac1e3e355f9abf07e10403

SHA256
75869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4

SHA512
d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
MD5
2ed9f34a134fc04a70618a44bd272757

SHA1
448a0df4d27179cb6cac1e3e355f9abf07e10403

SHA256
75869f1a124f201963e819e722cb2529f7d03855a3b55bd8cc8ab46c9f7e85a4

SHA512
d0017310438735c374be6b9bce769a317e2a69f82bf0d70236a7c7913df8f6ae7dab2fe55d64deff9e8bccae516cbf09e381df0dcf09477dc12f39ca81a0521e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1.exe
MD5
e76739b49a4f804989d54946bc7da936

SHA1
67f4113a3af2561ef011cffc33146dc7cb48514d

SHA256
783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

SHA512
7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\2.exe
MD5
4ff7dc2eafcc5f54b282c2deac99b951

SHA1
63edfac7d9204b3191891dd4cb64b198385bdcfd

SHA256
6a4aeb3aa7f4135963c93f1e36649f484b8bc0ef70a6fe95b670bff32dcb75a0

SHA512
e0dbf69f7b7aae09a0c5708ac42d5ae45285dd34e21c56aa0b82500ebd982ea3ceb95db52d40f75e6a9f4d4e6250bd7d87ceb1a6220d7cf5e1ea66b869d97091

Download Submit
memory/216-20-0x0000000000000000-mapping.dmp

Download
memory/748-13-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/748-4-0x0000000000000000-mapping.dmp

Download
memory/748-16-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/748-10-0x00000000720D0000-0x00000000727BE000-memory.dmp

Filesize
6.9MB

Download
memory/944-28-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/944-44-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2552-0-0x0000000000000000-mapping.dmp

Download
memory/2576-23-0x00000000720D0000-0x00000000727BE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-21-0x0000000000000000-mapping.dmp

Download
memory/2964-3-0x0000000000000000-mapping.dmp

Download
memory/4048-33-0x0000000000000000-mapping.dmp

Download
memory/4048-35-0x0000000000000000-mapping.dmp

Download
memory/4048-6-0x0000000000000000-mapping.dmp

Download
memory/4048-30-0x0000000000000000-mapping.dmp

Download
memory/4048-29-0x0000000000000000-mapping.dmp

Download
memory/4048-31-0x0000000000000000-mapping.dmp

Download
memory/4048-32-0x0000000000000000-mapping.dmp

Download
memory/4048-12-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4048-34-0x0000000000000000-mapping.dmp

Download
memory/4048-11-0x00000000720D0000-0x00000000727BE000-memory.dmp

Filesize
6.9MB

Download
memory/4048-36-0x0000000000000000-mapping.dmp

Download
memory/4048-38-0x0000000000000000-mapping.dmp

Download
memory/4048-37-0x0000000000000000-mapping.dmp

Download
memory/4048-39-0x0000000000000000-mapping.dmp

Download
memory/4048-41-0x0000000000000000-mapping.dmp

Download
memory/4048-40-0x0000000000000000-mapping.dmp

Download
memory/4048-42-0x0000000000000000-mapping.dmp

Download
memory/4048-43-0x0000000000000000-mapping.dmp

Download
memory/4048-17-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads