d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2

General

Target

d7418f626c566ce7713564ebdf968300_JC.exe
Size

225KB
MD5

d7418f626c566ce7713564ebdf968300
SHA1

3878406fe886cbc5e4c426017c1f3d79c1a0a737
SHA256

d41daac02ffcc698e4ec8f46df9134532efd837ca02a6fed127e3c0fca2696c2
SHA512

7b6d43be3fa70d4e072d5946c786b8b8961eb59387f3d9e02717ff250b776b7bb8dd6c0796f451cfe9178132f8b5e77df207ff2580b31655e67353beac7e9fd6
SSDEEP

6144:9Zl2zI79jfoaIPXmjbeqsoxk9cGxu5jLi:9mcGfPwbeqor7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2632	LGC1nrA3XBBUi0s.exe
3680	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1660-0-0x00000000004B0000-0x00000000004C9000-memory.dmp	upx
behavioral2/files/0x00060000000231c1-7.dat	upx
behavioral2/memory/3680-9-0x0000000000F40000-0x0000000000F59000-memory.dmp	upx
behavioral2/memory/1660-8-0x00000000004B0000-0x00000000004C9000-memory.dmp	upx
behavioral2/files/0x00060000000231c1-6.dat	upx
behavioral2/files/0x00080000000230c2-14.dat	upx
behavioral2/memory/3680-34-0x0000000000F40000-0x0000000000F59000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	d7418f626c566ce7713564ebdf968300_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	d7418f626c566ce7713564ebdf968300_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	d7418f626c566ce7713564ebdf968300_JC.exe
Token: SeDebugPrivilege	3680	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2632	1660	d7418f626c566ce7713564ebdf968300_JC.exe	84
PID 1660 wrote to memory of 2632	1660	d7418f626c566ce7713564ebdf968300_JC.exe	84
PID 1660 wrote to memory of 3680	1660	d7418f626c566ce7713564ebdf968300_JC.exe	85
PID 1660 wrote to memory of 3680	1660	d7418f626c566ce7713564ebdf968300_JC.exe	85
PID 1660 wrote to memory of 3680	1660	d7418f626c566ce7713564ebdf968300_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d7418f626c566ce7713564ebdf968300_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exe
  C:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
406KB

MD5
a2266804b50fff971f681f70e49a06bf

SHA1
d2df346bf81c91db05755e0df384d4d041ddc256

SHA256
483294b284ccaadd50515f2d6434dcfcdd47a87eca8b401763e231ea8b7af67f

SHA512
fcc9c5c7e733c86bda889c752e3aefe1ab42c97869a8545a1ea4800ecc5e33102a81563392fc09b31f28e12096e96f62b69406806018795851cf9b62ade0e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGC1nrA3XBBUi0s.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
112e2e3d0f9b5bdfc715836bfd6360cf

SHA1
3376a739daff15255ad9b6552897856df1778ed1

SHA256
739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

SHA512
6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
112e2e3d0f9b5bdfc715836bfd6360cf

SHA1
3376a739daff15255ad9b6552897856df1778ed1

SHA256
739998c19476d853c1c4264b79f01c4c3429c8e34746a6e22fdb7ef07db375db

SHA512
6ec42ffda1f8c8245ece5856b6536c3dc9e6ff78bc93ab1a123ee6b01dadd2550ffa8623bd2e21038e27f2a94b305dba02f9abd31576c62d9f3ed90c98974f4b

Download Submit
memory/1660-0-0x00000000004B0000-0x00000000004C9000-memory.dmp

Filesize
100KB

Download
memory/1660-8-0x00000000004B0000-0x00000000004C9000-memory.dmp

Filesize
100KB

Download
memory/2632-12-0x0000000000F90000-0x0000000000FB8000-memory.dmp

Filesize
160KB

Download
memory/2632-18-0x00007FFA5D380000-0x00007FFA5DE41000-memory.dmp

Filesize
10.8MB

Download
memory/2632-35-0x00007FFA5D380000-0x00007FFA5DE41000-memory.dmp

Filesize
10.8MB

Download
memory/3680-9-0x0000000000F40000-0x0000000000F59000-memory.dmp

Filesize
100KB

Download
memory/3680-34-0x0000000000F40000-0x0000000000F59000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads