f1f53fbbf5c2a88cf3cf8c1727925ec0d83f9a349a7ea2d54b87bd386b220085

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6d001558c9622c540bf9511fd0c7a5e_JC.exe
Size

84KB
MD5

e6d001558c9622c540bf9511fd0c7a5e
SHA1

57ef52759996726e72a343b8957c2565b058dc10
SHA256

f1f53fbbf5c2a88cf3cf8c1727925ec0d83f9a349a7ea2d54b87bd386b220085
SHA512

39cedffdd4dda765e2e0ffa4f138724ece860bc5cc95c1df2a9d0b2b8b3de1e3be7b28984ff24be03f63b5b430e9bf44b7edb4a65468ce60b68c5b995518ffe2
SSDEEP

768:eCNK2cNW0QbRsWjcd+6yBFLqJ4Z8qx70RM8/O/B2ZR1RGn8NIoGLLRNeom:eEcNjQlsWjcd+xzl7SM+Gn8255Neom

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4728	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-0-0x0000000000D80000-0x0000000000D99000-memory.dmp	upx
behavioral2/files/0x0008000000023254-5.dat	upx
behavioral2/files/0x0008000000023254-8.dat	upx
behavioral2/memory/4728-7-0x0000000000E90000-0x0000000000EA9000-memory.dmp	upx
behavioral2/memory/3860-9-0x0000000000D80000-0x0000000000D99000-memory.dmp	upx
behavioral2/files/0x000200000001e890-12.dat	upx
behavioral2/files/0x0007000000000038-28.dat	upx
behavioral2/memory/4728-30-0x0000000000E90000-0x0000000000EA9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	e6d001558c9622c540bf9511fd0c7a5e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	e6d001558c9622c540bf9511fd0c7a5e_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	e6d001558c9622c540bf9511fd0c7a5e_JC.exe
Token: SeDebugPrivilege	4728	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4728	3860	e6d001558c9622c540bf9511fd0c7a5e_JC.exe	85
PID 3860 wrote to memory of 4728	3860	e6d001558c9622c540bf9511fd0c7a5e_JC.exe	85
PID 3860 wrote to memory of 4728	3860	e6d001558c9622c540bf9511fd0c7a5e_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\e6d001558c9622c540bf9511fd0c7a5e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e6d001558c9622c540bf9511fd0c7a5e_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml

Filesize
85KB

MD5
34ba3afd0e1a9d85484de07fc7ed41a9

SHA1
e2fb8ea0e4457d97ccbfddd8ca0d2b41a40c348e

SHA256
bbd36ee347935b29ae88c1e3487126cb5acdb0a8502345058e5a4cd11d97b705

SHA512
fd533cde4496c526ec97dc081f9820b7b7503c6d3fe6bf4e2ca92f5077a247dd1adfddcd4d24aa1cee77564b9159b54e9fd78b69a04010aec7fa31f123a484ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\go7AettYLwzCeyN.exe

Filesize
84KB

MD5
89554c92fb37af85a73a5505ab5830cc

SHA1
d39abffece98b0baac17033c6ed31f5f1cc5b593

SHA256
db39e0520b0ba6f5350df7dba57995961db79df879e44cfd0438043521e95c6e

SHA512
c7a162f2dc5eec9b3d50100705cf79bd7b395a6321a3530ece5cb0713b3f041d0399e46f08bf26e7979bc9d5c7f405af69394cc7224a6368402965508889ddd4

Download Submit
C:\Windows\CTS.exe

Filesize
84KB

MD5
61e4cd6776d8367eee2470e5452bdd15

SHA1
ce19b517032d6cd9b201a4e74eaaf009f86d6563

SHA256
ff52d994f38f49789547cf1efe7c6a6535162c2ee1c405dadd229a6be1cf23a3

SHA512
ba6db6db02788cc9b3bbaed92fb4a47d11f9a857a00b5384ec4f5f4baa91825a6800f255f030c0ac455ab3562c321c632ab39ad4ddfcedd9530db1515fe6cd77

Download Submit
C:\Windows\CTS.exe

Filesize
84KB

MD5
61e4cd6776d8367eee2470e5452bdd15

SHA1
ce19b517032d6cd9b201a4e74eaaf009f86d6563

SHA256
ff52d994f38f49789547cf1efe7c6a6535162c2ee1c405dadd229a6be1cf23a3

SHA512
ba6db6db02788cc9b3bbaed92fb4a47d11f9a857a00b5384ec4f5f4baa91825a6800f255f030c0ac455ab3562c321c632ab39ad4ddfcedd9530db1515fe6cd77

Download Submit
memory/3860-0-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/3860-9-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/4728-7-0x0000000000E90000-0x0000000000EA9000-memory.dmp

Filesize
100KB

Download
memory/4728-30-0x0000000000E90000-0x0000000000EA9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads