f197085e02a2ee9e70b421847c1aa685acd571fd677a91cb3024f63228e27e68

General

Target

6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
Size

476KB
MD5

6f1aff257d43624aa0527ad8e42a9eaa
SHA1

05b88598b95381e953ded29f283a74c09804c24a
SHA256

f197085e02a2ee9e70b421847c1aa685acd571fd677a91cb3024f63228e27e68
SHA512

cd2dcac8c0ccd68ffc616d26250844c724d993e82fdbed7b8ac00982a6b6cbdfc2a3ab83f50c5103992a3e92c7f8aa13b6f458db01c7d497d4d7f4cbffbbafb9
SSDEEP

12288:ZteeYSnaQVt3Iu89PJ7a3KfMcVVDAmUlJdq6ozktbsJ0C:ZteeY69T3UJ7Vf7eFtNozkRsJT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
884	5KpWWosVmmvgsPh.exe
1160	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
Token: SeDebugPrivilege	1160	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 884	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	81
PID 4940 wrote to memory of 884	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	81
PID 4940 wrote to memory of 884	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	81
PID 4940 wrote to memory of 1160	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	82
PID 4940 wrote to memory of 1160	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	82
PID 4940 wrote to memory of 1160	4940	6f1aff257d43624aa0527ad8e42a9eaa_JC.exe	82

C:\Users\Admin\AppData\Local\Temp\6f1aff257d43624aa0527ad8e42a9eaa_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6f1aff257d43624aa0527ad8e42a9eaa_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\5KpWWosVmmvgsPh.exe
  C:\Users\Admin\AppData\Local\Temp\5KpWWosVmmvgsPh.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
736KB

MD5
55ccfd7fcb1729730cdc9e5fb8a0bb3d

SHA1
fa7ca78dc12a09f1771730773f4ba8f1e2388599

SHA256
1fe795e6717d9de13212e52b1759fc8dc8fcb1ab31ed1e04832666308720f5c0

SHA512
ee33f0b9cef93c69342a61518a470acc451d8532eb0d3ab9c300b3c758c01489ed4be8b36f9ecdccef6206a65e69b9557387a1ea0a42b2daf5e92505932a9558

Download Submit
C:\Users\Admin\AppData\Local\Temp\5KpWWosVmmvgsPh.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5KpWWosVmmvgsPh.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
C:\Windows\CTS.exe

Filesize
412KB

MD5
5c0283165000c05ddbb2d74fb6084223

SHA1
2e725d4ccf1d23cf4b18e80ef962ea342d4e7f7d

SHA256
55adcf4b195ca87cc5f45ec0f6c1d1068a5d9163ed05c50ab58799503dc877b4

SHA512
dcbd4ffc5306df6afbdecc509759e6ad1a7ec4dd48917637520cb3844984c526246f7ed005849f046e03f722bbf11e3966328c9287a4061db6eba9b1881b7ca5

Download Submit
C:\Windows\CTS.exe

Filesize
412KB

MD5
5c0283165000c05ddbb2d74fb6084223

SHA1
2e725d4ccf1d23cf4b18e80ef962ea342d4e7f7d

SHA256
55adcf4b195ca87cc5f45ec0f6c1d1068a5d9163ed05c50ab58799503dc877b4

SHA512
dcbd4ffc5306df6afbdecc509759e6ad1a7ec4dd48917637520cb3844984c526246f7ed005849f046e03f722bbf11e3966328c9287a4061db6eba9b1881b7ca5

Download Submit
memory/1160-8-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/1160-33-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/4940-0-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/4940-10-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads