Analysis
-
max time kernel
114s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
f30562f12f6ef79b34b52f506780e01a.exe
Resource
win7v20201028
General
-
Target
f30562f12f6ef79b34b52f506780e01a.exe
-
Size
697KB
-
MD5
f30562f12f6ef79b34b52f506780e01a
-
SHA1
a70a54548bec648b92253ac5ac998e92ef3dabd9
-
SHA256
341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3
-
SHA512
ad7739d8c8d0de69ebd20c41cb9c7739d6cd4f388bb928e228149a8bd454f510d9b0cc379ae56a478855fea665d2cbc031256c09d4ce7a2fbaa7eeed3fc445b6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wotsuper.exepid process 1416 wotsuper.exe -
Loads dropped DLL 2 IoCs
Processes:
f30562f12f6ef79b34b52f506780e01a.exepid process 1900 f30562f12f6ef79b34b52f506780e01a.exe 1900 f30562f12f6ef79b34b52f506780e01a.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
f30562f12f6ef79b34b52f506780e01a.exedescription ioc process File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe f30562f12f6ef79b34b52f506780e01a.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe f30562f12f6ef79b34b52f506780e01a.exe File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini f30562f12f6ef79b34b52f506780e01a.exe -
Drops file in Windows directory 1 IoCs
Processes:
f30562f12f6ef79b34b52f506780e01a.exedescription ioc process File opened for modification C:\Windows\wotsuper.reg f30562f12f6ef79b34b52f506780e01a.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wotsuper.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wotsuper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wotsuper.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001f17d73dac812d224cfb7642136e5382a549101bf68a01d747d6079cf691cb25000000000e8000000002000020000000c4947846007d746603d7e2dead122507d5086bfebe23bd0b9a053c6a06d3a7c220000000501a47b3d584fb15cf95dd5b94a27c348fd5dd28609323944653ffb1808f6d04400000007184c31876935ea526657061e2dd32dcb4be15432812a4e56a6baa0b4a220f2bd8d165e7bf6c0555b635be8c2f38bc64972d086b94eeab8554adc1ebb450682a iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90874b7ae3b6d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A246B721-22D6-11EB-9E5C-424ABE5A776C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311724056" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000008890332764f71d3cb72d912dbee948d49b1bf5ecdafdd439ef04ab8114a32d85000000000e8000000002000020000000da492098f782ead66527fcbf36c384a90fe435aab250ec277d97a36c7935563190000000a67bc924070324e34f04e2c4a3a9f05a03eaa6d48a5373c37fa5eeba356fa27ac89011f65f2465a59e2791bd91cbe9ce529a646c265d850e0bf6dffd30265ab33bb11c58a8a0c962db69257b721a2ce457d9725156aa4db22966acbfdd4aa23b8dfdbb0b824873fb32058d18a0426d44b8585bf7a7120ebd4aed5d3b4b4cb800612a2e1535af0bf6e1892945118fff934000000037dbe33210b1635e863ccaf70252e018d80d3579010732fa60312bc331aa1972e0beb8e2bf7a14f3559946b7a1c25b20312e806223d057203cd8dbfb91bc69e9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1992 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wotsuper.exepid process 1416 wotsuper.exe 1416 wotsuper.exe 1416 wotsuper.exe 1416 wotsuper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1984 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1984 iexplore.exe 1984 iexplore.exe 1628 IEXPLORE.EXE 1628 IEXPLORE.EXE 1628 IEXPLORE.EXE 1628 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f30562f12f6ef79b34b52f506780e01a.exeiexplore.exedescription pid process target process PID 1900 wrote to memory of 1416 1900 f30562f12f6ef79b34b52f506780e01a.exe wotsuper.exe PID 1900 wrote to memory of 1416 1900 f30562f12f6ef79b34b52f506780e01a.exe wotsuper.exe PID 1900 wrote to memory of 1416 1900 f30562f12f6ef79b34b52f506780e01a.exe wotsuper.exe PID 1900 wrote to memory of 1416 1900 f30562f12f6ef79b34b52f506780e01a.exe wotsuper.exe PID 1900 wrote to memory of 1992 1900 f30562f12f6ef79b34b52f506780e01a.exe regedit.exe PID 1900 wrote to memory of 1992 1900 f30562f12f6ef79b34b52f506780e01a.exe regedit.exe PID 1900 wrote to memory of 1992 1900 f30562f12f6ef79b34b52f506780e01a.exe regedit.exe PID 1900 wrote to memory of 1992 1900 f30562f12f6ef79b34b52f506780e01a.exe regedit.exe PID 1900 wrote to memory of 1984 1900 f30562f12f6ef79b34b52f506780e01a.exe iexplore.exe PID 1900 wrote to memory of 1984 1900 f30562f12f6ef79b34b52f506780e01a.exe iexplore.exe PID 1900 wrote to memory of 1984 1900 f30562f12f6ef79b34b52f506780e01a.exe iexplore.exe PID 1900 wrote to memory of 1984 1900 f30562f12f6ef79b34b52f506780e01a.exe iexplore.exe PID 1984 wrote to memory of 1628 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1628 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1628 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1628 1984 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f30562f12f6ef79b34b52f506780e01a.exe"C:\Users\Admin\AppData\Local\Temp\f30562f12f6ef79b34b52f506780e01a.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Runs .reg file with regedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
17767f5acff3a551913e6f89ceec5abc
SHA1c267c5c63c954445b38aa66d7150762dfea639d0
SHA256847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b
SHA5125eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
98f8eae8500f321b80a5ac5223c28784
SHA10c88fb0b85938ce88bacd9f4c3ce0f05fcbda4bf
SHA25687ed2fc290abcd70290c33bde785f5f1de8f9fbbbd3a76bbc9b8d3560c881016
SHA5122fdb613f225c3ddaf5cca86bc1ebbcf442ae2132d0e26f19a56975c287fdafc35970398fe12d8b2641459e005189618788ec0d20d4677069b2e3fb435860bbd6
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.datMD5
41bd3162f183d80176c1cf15c60f73b2
SHA107ce67b5b4c0f4c40cf5f8a8533c8ab4122e3611
SHA256c645965accba1ea972eb1d587de0a2e63af9191c86860de7f0cd8dde51753312
SHA51274eee5072bb9ce615f0c27a356a68fca6a3ebbff0d01139182c9e7e29fc3db0e6b16ae1e8f96e311ef708757398e67b72b2b1c4723e0692a908f04cfd2af3b15
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YW99J5FQ.txtMD5
98972ffb5ec7bc2c57778b373c7fc6a7
SHA1e72965ac00454a32ddcd589dd81d8ce83b889acc
SHA2562e81fca6fbf42732c78271aae46daa33e09992ad2e31a0fa9f9d27e07faa5ce8
SHA512b90f801b28d22b94bff115f1adc0ec42b2c9991d22c92a12f18ae660e6b4242fbbaa9a863cea4b7058eb842947774b6bbb68e2619241517c5dccf0230a0f7185
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
17767f5acff3a551913e6f89ceec5abc
SHA1c267c5c63c954445b38aa66d7150762dfea639d0
SHA256847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b
SHA5125eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e
-
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exeMD5
17767f5acff3a551913e6f89ceec5abc
SHA1c267c5c63c954445b38aa66d7150762dfea639d0
SHA256847a2a54035b006b90f615913e22edea992115bbe0df57292fd573465ad16d9b
SHA5125eed9bbca866778add3cf60ce2ceea710e6a63c2622dc00cf2cc9c2078e38f6d0d86c1173d452a3dfc85f49ff3467ac0143cc3f9e022c55e25716661178a423e
-
memory/1416-9-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1416-8-0x000000000030B000-0x000000000030C000-memory.dmpFilesize
4KB
-
memory/1416-2-0x0000000000000000-mapping.dmp
-
memory/1628-7-0x0000000000000000-mapping.dmp
-
memory/1636-6-0x000007FEF6E90000-0x000007FEF710A000-memory.dmpFilesize
2.5MB
-
memory/1984-5-0x0000000000000000-mapping.dmp
-
memory/1992-4-0x0000000000000000-mapping.dmp