f197085e02a2ee9e70b421847c1aa685acd571fd677a91cb3024f63228e27e68

General

Target

6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
Size

476KB
MD5

6f1aff257d43624aa0527ad8e42a9eaa
SHA1

05b88598b95381e953ded29f283a74c09804c24a
SHA256

f197085e02a2ee9e70b421847c1aa685acd571fd677a91cb3024f63228e27e68
SHA512

cd2dcac8c0ccd68ffc616d26250844c724d993e82fdbed7b8ac00982a6b6cbdfc2a3ab83f50c5103992a3e92c7f8aa13b6f458db01c7d497d4d7f4cbffbbafb9
SSDEEP

12288:ZteeYSnaQVt3Iu89PJ7a3KfMcVVDAmUlJdq6ozktbsJ0C:ZteeY69T3UJ7Vf7eFtNozkRsJT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1288	0We9oeg8sS2hrrQ.exe
3000	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
Token: SeDebugPrivilege	3000	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1288	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	28
PID 1460 wrote to memory of 1288	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	28
PID 1460 wrote to memory of 1288	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	28
PID 1460 wrote to memory of 1288	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	28
PID 1460 wrote to memory of 3000	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	29
PID 1460 wrote to memory of 3000	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	29
PID 1460 wrote to memory of 3000	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	29
PID 1460 wrote to memory of 3000	1460	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6f1aff257d43624aa0527ad8e42a9eaa_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe
  C:\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe

Filesize
476KB

MD5
935e2ac5b9c3efb1167242716b096422

SHA1
c13d37c636b97a59eade8178501d765cb30819a7

SHA256
d88d411538fe8f8f7701303b94caddd146af664b839263718576e7bd0cdf0611

SHA512
33f543d356e2e6d5d328d602d6da304e16b6646e42226d0ae7f73d48e46b1a5d34b483539f5ec8a0dc9bc589c9f77c9b1f645b6e43a2ebecc8a2a89926c3d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
C:\Windows\CTS.exe

Filesize
412KB

MD5
5c0283165000c05ddbb2d74fb6084223

SHA1
2e725d4ccf1d23cf4b18e80ef962ea342d4e7f7d

SHA256
55adcf4b195ca87cc5f45ec0f6c1d1068a5d9163ed05c50ab58799503dc877b4

SHA512
dcbd4ffc5306df6afbdecc509759e6ad1a7ec4dd48917637520cb3844984c526246f7ed005849f046e03f722bbf11e3966328c9287a4061db6eba9b1881b7ca5

Download Submit
C:\Windows\CTS.exe

Filesize
412KB

MD5
5c0283165000c05ddbb2d74fb6084223

SHA1
2e725d4ccf1d23cf4b18e80ef962ea342d4e7f7d

SHA256
55adcf4b195ca87cc5f45ec0f6c1d1068a5d9163ed05c50ab58799503dc877b4

SHA512
dcbd4ffc5306df6afbdecc509759e6ad1a7ec4dd48917637520cb3844984c526246f7ed005849f046e03f722bbf11e3966328c9287a4061db6eba9b1881b7ca5

Download Submit
C:\Windows\CTS.exe

Filesize
412KB

MD5
5c0283165000c05ddbb2d74fb6084223

SHA1
2e725d4ccf1d23cf4b18e80ef962ea342d4e7f7d

SHA256
55adcf4b195ca87cc5f45ec0f6c1d1068a5d9163ed05c50ab58799503dc877b4

SHA512
dcbd4ffc5306df6afbdecc509759e6ad1a7ec4dd48917637520cb3844984c526246f7ed005849f046e03f722bbf11e3966328c9287a4061db6eba9b1881b7ca5

Download Submit
\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
\Users\Admin\AppData\Local\Temp\0We9oeg8sS2hrrQ.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
memory/1460-0-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1460-15-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1460-11-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/3000-18-0x00000000010C0000-0x00000000010E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads