14a5e06cfaad0fc2ee172c2c8ccddcab454b0193bf32988553e17c4a8f0dd820

Analysis

max time kernel
161s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cfc87729e2e905d2442d6c9225919ed_JC.exe
Size

214KB
MD5

3cfc87729e2e905d2442d6c9225919ed
SHA1

18adfcffe5ce90955ada4e5fa8b126c75cf44cb1
SHA256

14a5e06cfaad0fc2ee172c2c8ccddcab454b0193bf32988553e17c4a8f0dd820
SHA512

d1a8ae358bcfc203b19953b249d2ca65e7062891b1980c82884ed9cf3b5d92d83cf1a1a3495dedf90f21d87d42b49754fd68037584b369be057195ab29dce26d
SSDEEP

3072:ZhpAyazIlyazTa2VwHOfsBrdfHdoqY7B4nkCS06wxZAotB3aekofVvPY:hZMaz2R+Hd4nN6SBH3aehf5PY

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
228	5F1K9yWhGYlMhyl.exe
3412	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	3cfc87729e2e905d2442d6c9225919ed_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	3cfc87729e2e905d2442d6c9225919ed_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe
Token: SeDebugPrivilege	3412	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 228	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe	82
PID 3900 wrote to memory of 228	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe	82
PID 3900 wrote to memory of 3412	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe	84
PID 3900 wrote to memory of 3412	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe	84
PID 3900 wrote to memory of 3412	3900	3cfc87729e2e905d2442d6c9225919ed_JC.exe	84

C:\Users\Admin\AppData\Local\Temp\3cfc87729e2e905d2442d6c9225919ed_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3cfc87729e2e905d2442d6c9225919ed_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\5F1K9yWhGYlMhyl.exe
  C:\Users\Admin\AppData\Local\Temp\5F1K9yWhGYlMhyl.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
393KB

MD5
754d9d37a247fa85c76acfa7debfe635

SHA1
5d0b5cf06c1d911a0f1be6ecc9db14e2de737e12

SHA256
09f9b329d7d9fee983a3619c08fd27060955cc82f43f947ee55a76e64d75ece5

SHA512
2a46290190e47d199620a7d805074555b8884c9aec80c80abd1b17e6d396fd56d05db6cd1d69904d78cf9e0c0587d458f87efd84c5066868aaa6a9a411136633

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F1K9yWhGYlMhyl.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F1K9yWhGYlMhyl.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/228-9-0x00000000009F0000-0x0000000000A18000-memory.dmp

Filesize
160KB

Download
memory/228-13-0x00007FFBE5910000-0x00007FFBE63D1000-memory.dmp

Filesize
10.8MB

Download
memory/228-31-0x00007FFBE5910000-0x00007FFBE63D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads