Analysis
-
max time kernel
34s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/03/2025, 18:35
Static task
static1
Behavioral task
behavioral1
Sample
sample2.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral2
Sample
sample2.exe
Resource
win11-20250313-en
General
-
Target
sample2.exe
-
Size
871KB
-
MD5
dd1b734796b4aa40af46b4d69e1e2da2
-
SHA1
d5273be84dfa0c54fc9cefff7bcc24fed3e20e1c
-
SHA256
361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20
-
SHA512
2de21b09091caaa2cfca919fb8e5777afb80ff1eba12b81b2f9a6fde3c94aea52f3bba22ad801bae37fb8816fc7e738c54fc2639d8f6cf47e04d4bc0dbd2af56
-
SSDEEP
12288:iANwRo+mv8QD4+0V165iTr/erjzuQhyACzHDxx/PI11TUeJpIPxSG6zKzxSg564k:iAT8QE+kms0LrSPY/TUeJ4jVzCW1qQa
Malware Config
Extracted
vidar
28.3
651
http://manillamemories.com/
-
profile_id
651
Signatures
-
Raccoon Stealer V1 payload 1 IoCs
resource yara_rule behavioral3/memory/2652-84-0x0000000000400000-0x00000000032DB000-memory.dmp family_raccoon_v1 -
Raccoon family
-
Vidar family
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral3/files/0x00060000000193ac-36.dat family_vidar -
Executes dropped EXE 2 IoCs
pid Process 2652 wotsuper.exe 2784 wotsuper1.exe -
Loads dropped DLL 4 IoCs
pid Process 3008 sample2.exe 3008 sample2.exe 3008 sample2.exe 3008 sample2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wotsuper regedit.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 3 iplogger.org 13 iplogger.org 14 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe sample2.exe File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini sample2.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe sample2.exe File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe sample2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\wotsuper.reg sample2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sample2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wotsuper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wotsuper1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wotsuper1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wotsuper1.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602e6541a296db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CBEA181-0295-11F0-B4D5-7E918DD97D05} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011083bcbfe712d429e48e43958ae0f110000000002000000000010660000000100002000000007c60cd0ca7bae3067fc833b9219c6347508dafd7199e3492d03d53605513cfd000000000e80000000020000200000008ac005b3c89dec3ab9c60c8d0835b1f2579de4f82939efc55584e235b7be0e8d20000000f7b6c56785b123a8cb5ce137702ba96927716b865ae3c68430c1825d65b2075b400000005efead065112f165b9f74277a24995187ab8655b3b1e85332e2c36887f342bc327c8ca66088fbd151ab90e7795c43d797fce507307938b7657f1a157001176be iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011083bcbfe712d429e48e43958ae0f1100000000020000000000106600000001000020000000715f7ce08c52cef9c9758eb9c340a9d0c4d54065b7ff4b725039b7feef39219a000000000e8000000002000020000000a763cb2343cecfe348821eed62e3a2bd26f03b69b88db8fbf90a04f429941c7690000000b6455489c2198c869bfe70aec5600cb784f43fb37fd1f5b8bb019c6247f4512da850a7f72b9eaebeb0facba43a84b1764e8e8ad81dfc54544943f3f46cd14a9be7d3b6dbc5cf56cb2a7ebcd1d927037cf0654347338b186ae9fcf1bdb4f67f74e33e1f811212b92247318369d590553e12d55cc32b7a741d01b2d002f1bc0312f348131923091eaf48d50472c9debb7b4000000004e2dedd54a7a71db4500e61e08fc51cb39c1c7cdd51c2c40f79917d0ae602ee624c2389bc9805ed9c5343c1a831ced541b7a09903845aefbffa1036d363f2d6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2272 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2784 wotsuper1.exe 2784 wotsuper1.exe 2784 wotsuper1.exe 2784 wotsuper1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2208 iexplore.exe 2208 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2208 iexplore.exe 2208 iexplore.exe 2208 iexplore.exe 2208 iexplore.exe 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2208 3008 sample2.exe 31 PID 3008 wrote to memory of 2208 3008 sample2.exe 31 PID 3008 wrote to memory of 2208 3008 sample2.exe 31 PID 3008 wrote to memory of 2208 3008 sample2.exe 31 PID 3008 wrote to memory of 2652 3008 sample2.exe 32 PID 3008 wrote to memory of 2652 3008 sample2.exe 32 PID 3008 wrote to memory of 2652 3008 sample2.exe 32 PID 3008 wrote to memory of 2652 3008 sample2.exe 32 PID 3008 wrote to memory of 2784 3008 sample2.exe 33 PID 3008 wrote to memory of 2784 3008 sample2.exe 33 PID 3008 wrote to memory of 2784 3008 sample2.exe 33 PID 3008 wrote to memory of 2784 3008 sample2.exe 33 PID 2208 wrote to memory of 2684 2208 iexplore.exe 34 PID 2208 wrote to memory of 2684 2208 iexplore.exe 34 PID 2208 wrote to memory of 2684 2208 iexplore.exe 34 PID 2208 wrote to memory of 2684 2208 iexplore.exe 34 PID 3008 wrote to memory of 2272 3008 sample2.exe 35 PID 3008 wrote to memory of 2272 3008 sample2.exe 35 PID 3008 wrote to memory of 2272 3008 sample2.exe 35 PID 3008 wrote to memory of 2272 3008 sample2.exe 35 PID 3008 wrote to memory of 2676 3008 sample2.exe 36 PID 3008 wrote to memory of 2676 3008 sample2.exe 36 PID 3008 wrote to memory of 2676 3008 sample2.exe 36 PID 3008 wrote to memory of 2676 3008 sample2.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample2.exe"C:\Users\Admin\AppData\Local\Temp\sample2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Ldta7.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1smEq7.html2⤵PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5b8181cb72764c24e73c7b6204b16bed6
SHA1c430cc4776ff5e21d08bca9a0d73cfaf29108fa4
SHA256fdb5a0d4e97ee36d2b23605b0d8a2785d08d046058f07a8714e4908e8a2485a2
SHA512bd63970b846bfdc6990b803e12028c692bc3f3125df03c3b9ec4626e1ce56dc43313d37c71337868ade0e4da31a5eca971b453242829b7312eb7efd2a407de1d
-
Filesize
2KB
MD569e4830ca7d676e47b4a8aa3ff08d40c
SHA1863e146d6223909265bfb6f9d88c78f09c18b5bb
SHA25623d871a174110c4bef5101c10b2c0bd5f9baa37f94305417060a05b9d2ef67d5
SHA51255b6399b8eb89f75c4904305a87d1e17722294a003d77fa9aaadd2c74c4c513021353d5f248383226b73ce62b69974110f97561adf54fbfb52d94a1ce1325242
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].png
Filesize2KB
MD518c023bc439b446f91bf942270882422
SHA1768d59e3085976dba252232a65a4af562675f782
SHA256e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735
-
Filesize
450B
MD542f073434559fb6b9c67aba86de89d1b
SHA19b969de41fc717353619068e46f21ec1db093ab5
SHA25603ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547
-
Filesize
449KB
MD57b20f5c61780fe383f45ca6e18ed5a6a
SHA1bc9bfd59f0cde312cd9a0d20784887fed9b8c836
SHA25626ccbcb079b3f0cc183293351c40da3146d2ddec9b4d6cd314090cfab94834df
SHA5128a63f6ad20fe18bd49d055ae05bc81fe30d0ebfb25a37428b17b43569b53bf2560f0de8f993f62a2f5d458db78e6d24ad71fca8d7fd1133d3cb499dff356e68b