e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd

General

Target

0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Size

896KB
MD5

0a15cb345ff9c3b6166e3139e2522b93
SHA1

3cc8c220c33352ec5dbe5f067f9e8ca94d30adf7
SHA256

e143b7d574448259a7460817662e75e5f17c4686462b3f5b7422c82486f53abd
SHA512

5db7d77117bdee841f3bb8220907157f70394e60bd71706d3d7fcfb4d2d1ba1cc3158a01f5b9d862ed04947610c173ffdd7c3d0f595ef0870ae289b89519a0f4
SSDEEP

24576:ZRkkvPYlaAD2E3Qi0hAPlFtweDp4in8GgEdunxLW0E:ZRk0PMaMJQiSAt0eDp4i8GnQxLPE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4212	LEWUcxMO46ZeT2U.exe
3824	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000540000-0x0000000000568000-memory.dmp	upx
behavioral2/memory/3824-8-0x0000000000FB0000-0x0000000000FD8000-memory.dmp	upx
behavioral2/files/0x000200000002288b-6.dat	upx
behavioral2/files/0x000200000002288b-9.dat	upx
behavioral2/memory/3516-7-0x0000000000540000-0x0000000000568000-memory.dmp	upx
behavioral2/files/0x000200000001e804-12.dat	upx
behavioral2/memory/3824-31-0x0000000000FB0000-0x0000000000FD8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe
Token: SeDebugPrivilege	3824	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4212	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	82
PID 3516 wrote to memory of 4212	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	82
PID 3516 wrote to memory of 3824	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	83
PID 3516 wrote to memory of 3824	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	83
PID 3516 wrote to memory of 3824	3516	0a15cb345ff9c3b6166e3139e2522b93_JC.exe	83

C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0a15cb345ff9c3b6166e3139e2522b93_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe
  C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml

Filesize
162KB

MD5
ea1aefd5e952356f5f95ca1f7e3fb4b2

SHA1
60214a3b705685c5205edd6543aa7a6387214e26

SHA256
ea614edaaadfbce5a3bce3eac5e4a7f0eaf0ee5695593ebb8bdcb9eae068cbe2

SHA512
539a0b16c8f1f3f3bdfe4f7fde02f5269ffce0f3eac422b93f1728b1f7ab9c5bcc981279c8a7fa71db8a9f9e664893c40e10a8846e463de5aea5db8a2360c381

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe

Filesize
896KB

MD5
5557e5806eb64c0fe35dcc87f7ddddbb

SHA1
6b15e5fb844f32d23b183297b7bf4dc480686510

SHA256
f4492e7ca42163df13fffb76e0802e9e7b17005d522ddb16b1599d9fb606cd59

SHA512
a68c0ce275546fa5856e4821def8d6e6c7c6a8e7e55d3ef7eb35cfc6de017103a11259a9171a658cfa26907b757211483e4580311bf0f4dfff1fb8615d201a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEWUcxMO46ZeT2U.exe

Filesize
734KB

MD5
7d65d4df4668d117f25e083dd9dda24a

SHA1
d8b1bb64a08b0c4b42f8f63a630201d423ad30bd

SHA256
d0172a34261ca453ee63ad0ad54c56800433d3ffedfaef23ff3c9858a5a10edd

SHA512
044f00d942b5964f940ad23c0030fff97b169dec5f510a1d5ef62af7cfd7e189d936a0414c5b280e7421f4949ecaff6d307fec39f1cbf02a575edb89ebc04bdd

Download Submit
C:\Windows\CTS.exe

Filesize
161KB

MD5
e8f8a485ab339763f170f82d68d4107d

SHA1
460dad0367cb4cdc47abd3c56f08f93693aff1c9

SHA256
371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

SHA512
7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

Download Submit
C:\Windows\CTS.exe

Filesize
161KB

MD5
e8f8a485ab339763f170f82d68d4107d

SHA1
460dad0367cb4cdc47abd3c56f08f93693aff1c9

SHA256
371b30e5623c6337ad98c420f570bc9c86878ddec314e404e570c4348554c17b

SHA512
7d22ef520543c5f7b7f0d816a0eaabcf093a03c96de2a002d035d3eb0d27abcff9dfcfa88113bcf2b51a5eb638c4b39c35c031054a3a4314e4c1190928d240f5

Download Submit
memory/3516-0-0x0000000000540000-0x0000000000568000-memory.dmp

Filesize
160KB

Download
memory/3516-7-0x0000000000540000-0x0000000000568000-memory.dmp

Filesize
160KB

Download
memory/3824-8-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

Filesize
160KB

Download
memory/3824-31-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads