3c61b88870ef440db52cc894150eccb99f8ae916c06ea49c2da88fcb8a79f74b

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0ca36bae42036e20701b20fabe79eb_JC.exe
Size

89KB
MD5

1a0ca36bae42036e20701b20fabe79eb
SHA1

501a9d3feaaacf796853ba17d7c266864bb053a4
SHA256

3c61b88870ef440db52cc894150eccb99f8ae916c06ea49c2da88fcb8a79f74b
SHA512

f021dbd79f6b08eda6bfbc7c1649b78c4dbaab9afdf8478d7cc09e8f496733079e32a7de824525135e3b6d52c6c4f6a013c71775dfc2240005a65dfbcd7b593e
SSDEEP

1536:AKcR4mjD9r823FLWlrUVFHc3vKgAfV8mwrfE2ixTPm4:AKcWmjRrz3ZfRc3cfV6r82yzm4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	1a0ca36bae42036e20701b20fabe79eb_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	1a0ca36bae42036e20701b20fabe79eb_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	1a0ca36bae42036e20701b20fabe79eb_JC.exe
Token: SeDebugPrivilege	2304	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2304	2468	1a0ca36bae42036e20701b20fabe79eb_JC.exe	28
PID 2468 wrote to memory of 2304	2468	1a0ca36bae42036e20701b20fabe79eb_JC.exe	28
PID 2468 wrote to memory of 2304	2468	1a0ca36bae42036e20701b20fabe79eb_JC.exe	28
PID 2468 wrote to memory of 2304	2468	1a0ca36bae42036e20701b20fabe79eb_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\1a0ca36bae42036e20701b20fabe79eb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1a0ca36bae42036e20701b20fabe79eb_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uk9rxxVZAlDOi0G.exe

Filesize
1KB

MD5
58b4d428f051b6e94e6535cfe8c7d776

SHA1
21d1733fdb34d9ab11309b8d80a9112992675d37

SHA256
eedc197e282d365589dd8003c3d66d6edefb652aa365ccf8bbf3654ffc53cfac

SHA512
cd14fc4f5459c8fd9ddee072a9856632501a8f824eae4e15f72cf27f4e39e708d7326a70ef4d0dd5b0666eee49c7bb154d5465cbc70bb3fdbced81ef8136c6dc

Download Submit
C:\Windows\CTS.exe

Filesize
88KB

MD5
3aaf6b72c41bd2d1e5f27673f6723bb2

SHA1
d052796ab99c07f32b7dbaca1d0e92a15bc94e5c

SHA256
f6cbc59159260d679d1d35dcb747a3955e108fc2fb43d5cb6e672b64498895eb

SHA512
bb579c5170e7d1a6d86d7e9d36176694b029368c934acbb2deafb6abacad7aec1180dd6c477d1e20888b2d63a8e9a1d172adf80f66de7f0f6a25a218d3f2247a

Download Submit
C:\Windows\CTS.exe

Filesize
88KB

MD5
3aaf6b72c41bd2d1e5f27673f6723bb2

SHA1
d052796ab99c07f32b7dbaca1d0e92a15bc94e5c

SHA256
f6cbc59159260d679d1d35dcb747a3955e108fc2fb43d5cb6e672b64498895eb

SHA512
bb579c5170e7d1a6d86d7e9d36176694b029368c934acbb2deafb6abacad7aec1180dd6c477d1e20888b2d63a8e9a1d172adf80f66de7f0f6a25a218d3f2247a

Download Submit
C:\Windows\CTS.exe

Filesize
88KB

MD5
3aaf6b72c41bd2d1e5f27673f6723bb2

SHA1
d052796ab99c07f32b7dbaca1d0e92a15bc94e5c

SHA256
f6cbc59159260d679d1d35dcb747a3955e108fc2fb43d5cb6e672b64498895eb

SHA512
bb579c5170e7d1a6d86d7e9d36176694b029368c934acbb2deafb6abacad7aec1180dd6c477d1e20888b2d63a8e9a1d172adf80f66de7f0f6a25a218d3f2247a

Download Submit
memory/2304-12-0x0000000001140000-0x0000000001164000-memory.dmp

Filesize
144KB

Download
memory/2468-0-0x0000000001350000-0x0000000001374000-memory.dmp

Filesize
144KB

Download
memory/2468-9-0x0000000001350000-0x0000000001374000-memory.dmp

Filesize
144KB

Download
memory/2468-8-0x0000000001140000-0x0000000001164000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads