Overview

overview

10

Static

static

fed55c7266...6a.exe

windows7_x64

10

fed55c7266...6a.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fed55c7266cf091330b67ef4a5d8756a.exe

  • Size

    504KB

  • MD5

    fed55c7266cf091330b67ef4a5d8756a

  • SHA1

    96f2724c024afae6a85dd67c4dd32adf240dffd5

  • SHA256

    9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba

  • SHA512

    caad5eb4613e8316b15959f08dc6dde57d220584ad72c964bc3a7179d83ada061e3fd434e11f0b7d898ade461ef665f63c8ead4164f588927b3b9a338decdb04

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ServiceHost packer 14 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 273 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fed55c7266cf091330b67ef4a5d8756a.exe
    "C:\Users\Admin\AppData\Local\Temp\fed55c7266cf091330b67ef4a5d8756a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start tmp1.exe & start tmp2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
          tmp1.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:504
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 1800
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5040
        • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
          tmp2.exe
          4⤵
          • Executes dropped EXE
          PID:1204
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:3160
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:896
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3956
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2532
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
    1⤵
      PID:4440
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
      1⤵
        PID:4460
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
        1⤵
        • Modifies data under HKEY_USERS
        PID:4500
      • C:\Windows\system32\efsui.exe
        efsui.exe /efs /keybackup
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4548
      • C:\Windows\system32\cmd.exe
        cmd /c choice /C Y /N /D Y /T 3 & del "C:\Users\Admin\AppData\Local\Temp\tmp2.exe" & C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 3
          2⤵
            PID:4632
          • C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
            C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:4684
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4808
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:2180
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:4640

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
          MD5

          1097a83890f4f6ba87762a98166e8091

          SHA1

          82630ccff8a0054117bd555943a77d415b866174

          SHA256

          eb6bf79c7b82421439fbe0884fde1b963a56d424f1a642e7db9e56e2792a4fc8

          SHA512

          5ba5f76b9a08b3c523052c464187410e955a49681847c1de792590095fd190137a5f7952ec4c57d67e28fca8a17ef5ebf5bfab26ebc77beaefc0749f41b2f9d1

          Download Submit
        • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
          MD5

          1097a83890f4f6ba87762a98166e8091

          SHA1

          82630ccff8a0054117bd555943a77d415b866174

          SHA256

          eb6bf79c7b82421439fbe0884fde1b963a56d424f1a642e7db9e56e2792a4fc8

          SHA512

          5ba5f76b9a08b3c523052c464187410e955a49681847c1de792590095fd190137a5f7952ec4c57d67e28fca8a17ef5ebf5bfab26ebc77beaefc0749f41b2f9d1

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\spoolsvc.exe
          MD5

          e76739b49a4f804989d54946bc7da936

          SHA1

          67f4113a3af2561ef011cffc33146dc7cb48514d

          SHA256

          783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

          SHA512

          7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
          MD5

          ed78b5b2e535267593966c8d20a9fadc

          SHA1

          4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

          SHA256

          ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

          SHA512

          603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp1.exe
          MD5

          ed78b5b2e535267593966c8d20a9fadc

          SHA1

          4d88a99d92ec6192d1279b4e6f5d52b640b72e3c

          SHA256

          ce6e57d77a6a5bab02eb37d771a2b225fc8b0ad24e8382ae111f277788a528e6

          SHA512

          603bcf69dbbde6728afc50eaa43584ef4fe39f20c5b3b4f79ea9b13801b64f94855118e89ccc46dbdf50ec289d4861f3fb8921a9464188cdbb76402727b3ba4f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
          MD5

          e76739b49a4f804989d54946bc7da936

          SHA1

          67f4113a3af2561ef011cffc33146dc7cb48514d

          SHA256

          783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

          SHA512

          7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
          MD5

          e76739b49a4f804989d54946bc7da936

          SHA1

          67f4113a3af2561ef011cffc33146dc7cb48514d

          SHA256

          783122da15a5aaa2c6bda3b76ed0ce77d988150698b65ac0a460e207f6e623bf

          SHA512

          7ede05cb06ccf69e91d695127ef3fe2be8ccaf5f533355236caa7bd8c9f26178acf9f9fdfe8a0622ee7326341eb74b26256b2b3daf1c0c1a66135e2b8b26ce29

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsf6D76.tmp\IRq.dll
          MD5

          293165db1e46070410b4209519e67494

          SHA1

          777b96a4f74b6c34d43a4e7c7e656757d1c97f01

          SHA256

          49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

          SHA512

          97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsf6D76.tmp\JBH.dll
          MD5

          44e5c77cae3ae434d1e4e619bdb1c39b

          SHA1

          9988f020eac45207d148668227b6819a38bdafa0

          SHA256

          326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

          SHA512

          c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsf6D76.tmp\System.dll
          MD5

          0063d48afe5a0cdc02833145667b6641

          SHA1

          e7eb614805d183ecb1127c62decb1a6be1b4f7a8

          SHA256

          ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

          SHA512

          71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

          Download Submit
        • memory/504-35-0x0000000000000000-mapping.dmp
          Download
        • memory/504-42-0x0000000000000000-mapping.dmp
          Download
        • memory/504-48-0x0000000000000000-mapping.dmp
          Download
        • memory/504-9-0x0000000000000000-mapping.dmp
          Download
        • memory/504-8-0x0000000000000000-mapping.dmp
          Download
        • memory/504-40-0x0000000000000000-mapping.dmp
          Download
        • memory/504-17-0x0000000070D40000-0x000000007142E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/504-47-0x0000000000000000-mapping.dmp
          Download
        • memory/504-18-0x0000000000C90000-0x0000000000C91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/504-46-0x0000000000000000-mapping.dmp
          Download
        • memory/504-45-0x0000000000000000-mapping.dmp
          Download
        • memory/504-23-0x0000000005950000-0x0000000005951000-memory.dmp
          Filesize

          4KB

          Download
        • memory/504-44-0x0000000000000000-mapping.dmp
          Download
        • memory/504-41-0x0000000000000000-mapping.dmp
          Download
        • memory/504-43-0x0000000000000000-mapping.dmp
          Download
        • memory/504-39-0x0000000000000000-mapping.dmp
          Download
        • memory/504-38-0x0000000000000000-mapping.dmp
          Download
        • memory/504-36-0x0000000000000000-mapping.dmp
          Download
        • memory/504-37-0x0000000000000000-mapping.dmp
          Download
        • memory/988-0-0x0000000000000000-mapping.dmp
          Download
        • memory/1204-16-0x0000000070D40000-0x000000007142E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1204-11-0x0000000000000000-mapping.dmp
          Download
        • memory/1204-22-0x0000000004F10000-0x0000000004F11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-19-0x00000000006C0000-0x00000000006C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-12-0x0000000000000000-mapping.dmp
          Download
        • memory/2864-7-0x0000000000000000-mapping.dmp
          Download
        • memory/3160-2-0x0000000000000000-mapping.dmp
          Download
        • memory/4632-26-0x0000000000000000-mapping.dmp
          Download
        • memory/4684-29-0x0000000070D40000-0x000000007142E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4684-27-0x0000000000000000-mapping.dmp
          Download
        • memory/5040-34-0x00000000048E0000-0x00000000048E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/5040-49-0x0000000005110000-0x0000000005111000-memory.dmp
          Filesize

          4KB

          Download