e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd

General

Target

0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Size

896KB
MD5

0a15cb345ff9c3b6166e3139e2522b93
SHA1

3cc8c220c33352ec5dbe5f067f9e8ca94d30adf7
SHA256

e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd
SHA512

5db7d77117bdee841f3bb8220907157f70394e60bd71706d3d7fcfb4d2d1ba1cc3158a01f5b9d862ed04947610c173ffdd7c3d0f595ef0870ae289b89519a0f4
SSDEEP

24576:ZRkkvPYlaAD2E3Qi0hAPlFtweDp4in8GgEdunxLW0E:ZRk0PMaMJQiSAt0eDp4i8GnQxLPE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2188	zNYL9NbQZgm4JSW.exe
1948	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000E70000-0x0000000000E98000-memory.dmp	upx
behavioral1/files/0x000c000000012269-14.dat	upx
behavioral1/files/0x000c000000012269-7.dat	upx
behavioral1/memory/1704-13-0x0000000000E70000-0x0000000000E98000-memory.dmp	upx
behavioral1/memory/1948-17-0x0000000001190000-0x00000000011B8000-memory.dmp	upx
behavioral1/files/0x000c000000012269-18.dat	upx
behavioral1/memory/1948-22-0x0000000001190000-0x00000000011B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Token: SeDebugPrivilege	1948	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2188	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	28
PID 1704 wrote to memory of 2188	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	28
PID 1704 wrote to memory of 2188	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	28
PID 1704 wrote to memory of 2188	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	28
PID 1704 wrote to memory of 1948	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	29
PID 1704 wrote to memory of 1948	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	29
PID 1704 wrote to memory of 1948	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	29
PID 1704 wrote to memory of 1948	1704	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe
  C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

Filesize
896KB

MD5
79727aea15bd68bdcb537abb8ec4e1e4

SHA1
ed22462a47308fecca9d6666f22b1d7815c24453

SHA256
53de7ca72be47c622bbd89a02cc1c266e633d7c8e93609f7aa3e5cb5714fd399

SHA512
24c6e36c6ac3589efda10a2726c2b287d6f174ec862a1efe1b6353dce5c0bbfe052fd891175f61a54ea962eb282607740e6eb95aa689cd4b8c54aac700d4dcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

Filesize
734KB

MD5
7d65d4df4668d117f25e083dd9dda24a

SHA1
d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

SHA256
d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

SHA512
044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

Download Submit
C:\Windows\CTS.exe

Filesize
161KB

MD5
e8f8a485ab339763f170f82d68d4107d

SHA1
460dad0367cb4cdc47abd3c56f08f93693aff1c9

SHA256
371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

SHA512
7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

Download Submit
C:\Windows\CTS.exe

Filesize
161KB

MD5
e8f8a485ab339763f170f82d68d4107d

SHA1
460dad0367cb4cdc47abd3c56f08f93693aff1c9

SHA256
371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

SHA512
7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

Download Submit
C:\Windows\CTS.exe

Filesize
161KB

MD5
e8f8a485ab339763f170f82d68d4107d

SHA1
460dad0367cb4cdc47abd3c56f08f93693aff1c9

SHA256
371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

SHA512
7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

Download Submit
\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

Filesize
734KB

MD5
7d65d4df4668d117f25e083dd9dda24a

SHA1
d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

SHA256
d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

SHA512
044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

Download Submit
\Users\Admin\AppData\Local\Temp\zNYL9NbQZgm4JSW.exe

Filesize
734KB

MD5
7d65d4df4668d117f25e083dd9dda24a

SHA1
d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

SHA256
d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

SHA512
044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

Download Submit
memory/1704-15-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/1704-16-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/1704-0-0x0000000000E70000-0x0000000000E98000-memory.dmp

Filesize
160KB

Download
memory/1704-13-0x0000000000E70000-0x0000000000E98000-memory.dmp

Filesize
160KB

Download
memory/1948-17-0x0000000001190000-0x00000000011B8000-memory.dmp

Filesize
160KB

Download
memory/1948-22-0x0000000001190000-0x00000000011B8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads