d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2

General

Target

d7418f626c566ce7713564ebdf968300_JC.exe
Size

225KB
MD5

d7418f626c566ce7713564ebdf968300
SHA1

3878406fe886cbc5e4c426017c1f3d79c1a0a737
SHA256

d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2
SHA512

7b6d43be3fa70d4e072d5946c786b8b8961eb59387f3d9e02717ff250b776b7bb8dd6c0796f451cfe9178132f8b5e77df207ff2580b31655e67353beac7e9fd6
SSDEEP

6144:9Zl2zI79jfoaIPXmjbeqsoxk9cGxu5jLi:9mcGfPwbeqor7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1548	OmG9Ew14jnS6nTm.exe
2252	CTS.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	d7418f626c566ce7713564ebdf968300_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1496-0-0x0000000000FF0000-0x0000000001009000-memory.dmp	upx
behavioral1/memory/2252-13-0x0000000000060000-0x0000000000079000-memory.dmp	upx
behavioral1/files/0x000e0000000122e4-12.dat	upx
behavioral1/files/0x000e0000000122e4-11.dat	upx
behavioral1/memory/1496-10-0x0000000000FF0000-0x0000000001009000-memory.dmp	upx
behavioral1/files/0x000e0000000122e4-9.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	d7418f626c566ce7713564ebdf968300_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	d7418f626c566ce7713564ebdf968300_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	d7418f626c566ce7713564ebdf968300_JC.exe
Token: SeDebugPrivilege	2252	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1548	1496	d7418f626c566ce7713564ebdf968300_JC.exe	28
PID 1496 wrote to memory of 1548	1496	d7418f626c566ce7713564ebdf968300_JC.exe	28
PID 1496 wrote to memory of 1548	1496	d7418f626c566ce7713564ebdf968300_JC.exe	28
PID 1496 wrote to memory of 1548	1496	d7418f626c566ce7713564ebdf968300_JC.exe	28
PID 1496 wrote to memory of 2252	1496	d7418f626c566ce7713564ebdf968300_JC.exe	30
PID 1496 wrote to memory of 2252	1496	d7418f626c566ce7713564ebdf968300_JC.exe	30
PID 1496 wrote to memory of 2252	1496	d7418f626c566ce7713564ebdf968300_JC.exe	30
PID 1496 wrote to memory of 2252	1496	d7418f626c566ce7713564ebdf968300_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe
  C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
112e2e3d0f9b5bdfc715836bfd6360cf

SHA1
3376a739daff15255ad9b6552897856df1778ed1

SHA256
739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

SHA512
6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
112e2e3d0f9b5bdfc715836bfd6360cf

SHA1
3376a739daff15255ad9b6552897856df1778ed1

SHA256
739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

SHA512
6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
112e2e3d0f9b5bdfc715836bfd6360cf

SHA1
3376a739daff15255ad9b6552897856df1778ed1

SHA256
739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

SHA512
6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

Download Submit
\Users\Admin\AppData\Local\Temp\OmG9Ew14jnS6nTm.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
memory/1496-0-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/1496-10-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/1548-17-0x0000000000EB0000-0x0000000000ED8000-memory.dmp

Filesize
160KB

Download
memory/1548-18-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-19-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1548-20-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-13-0x0000000000060000-0x0000000000079000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads