6eb33aba0547d9b4fbfd68beb0f77b17f2cff22fd86ef67cf88a470a2f046b28

General

Target

c30cba14baed76ef15b882815ba6fe40_JC.exe
Size

422KB
MD5

c30cba14baed76ef15b882815ba6fe40
SHA1

11bb4256249ebf8411853a0516b8689901315f71
SHA256

6eb33aba0547d9b4fbfd68beb0f77b17f2cff22fd86ef67cf88a470a2f046b28
SHA512

80f720b5a135cacd24be5c776d2140f17b91731034ce1b76470d1c9d2bc6b7bcbbec913462f7b55dfcbbfdad0ccd786a664ca78571f0a3de2613997bef865213
SSDEEP

6144:eGxmsc1URAP63JeJMpqojYraTWomVjJO0DDDjC/tPhpTkPpMPM7Atvt44No/WxM0:e9scszZFseWomPrHD2FPbkPV7exjJmQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2144-0-0x0000000000850000-0x0000000000877000-memory.dmp	upx
behavioral1/files/0x000e00000001233e-10.dat	upx
behavioral1/memory/2332-12-0x0000000000D30000-0x0000000000D57000-memory.dmp	upx
behavioral1/files/0x000e00000001233e-9.dat	upx
behavioral1/memory/2144-8-0x0000000000850000-0x0000000000877000-memory.dmp	upx
behavioral1/files/0x000e00000001233e-7.dat	upx
behavioral1/files/0x00070000000120bd-14.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	c30cba14baed76ef15b882815ba6fe40_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	c30cba14baed76ef15b882815ba6fe40_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	c30cba14baed76ef15b882815ba6fe40_JC.exe
Token: SeDebugPrivilege	2332	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2332	2144	c30cba14baed76ef15b882815ba6fe40_JC.exe	28
PID 2144 wrote to memory of 2332	2144	c30cba14baed76ef15b882815ba6fe40_JC.exe	28
PID 2144 wrote to memory of 2332	2144	c30cba14baed76ef15b882815ba6fe40_JC.exe	28
PID 2144 wrote to memory of 2332	2144	c30cba14baed76ef15b882815ba6fe40_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\c30cba14baed76ef15b882815ba6fe40_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c30cba14baed76ef15b882815ba6fe40_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n4SPKnnhmCrisWl.exe

Filesize
422KB

MD5
43d0cf0c822427b00b5208aa01f8ff0e

SHA1
aa3529da3707a27bb580eed1b27a1aa6b20243e3

SHA256
41e9a8ea28fda5f9ae1af8a802abbcfa803d377107cdd1da25d27c3cb37ad4aa

SHA512
25c3340c3964e2aec7177d946d35b4c08ad9bf0ef0155f45b2450bbc10083e61f102cf179bb48ad91a9ff108ed452e165f2f71550e91ba68960ede62e1f83586

Download Submit
C:\Windows\CTS.exe

Filesize
422KB

MD5
c848a727f24b4673fc3c461182956c08

SHA1
d9d9fa3d2d4adc9d257218a283cd0a556ab6b273

SHA256
0663aa421faa4706e8ccca33c9b47ce34b2bd071cfb7669f164b1920a3eac173

SHA512
a6ee14a539db3c755cbd28a78d84d4990a144017dc315da396c8aac5f893b8cd5b1c337b2f16a5a5e32e5e3a9a6893bf4c3e9554378dabb5be26c26c27e807e1

Download Submit
C:\Windows\CTS.exe

Filesize
422KB

MD5
c848a727f24b4673fc3c461182956c08

SHA1
d9d9fa3d2d4adc9d257218a283cd0a556ab6b273

SHA256
0663aa421faa4706e8ccca33c9b47ce34b2bd071cfb7669f164b1920a3eac173

SHA512
a6ee14a539db3c755cbd28a78d84d4990a144017dc315da396c8aac5f893b8cd5b1c337b2f16a5a5e32e5e3a9a6893bf4c3e9554378dabb5be26c26c27e807e1

Download Submit
C:\Windows\CTS.exe

Filesize
422KB

MD5
c848a727f24b4673fc3c461182956c08

SHA1
d9d9fa3d2d4adc9d257218a283cd0a556ab6b273

SHA256
0663aa421faa4706e8ccca33c9b47ce34b2bd071cfb7669f164b1920a3eac173

SHA512
a6ee14a539db3c755cbd28a78d84d4990a144017dc315da396c8aac5f893b8cd5b1c337b2f16a5a5e32e5e3a9a6893bf4c3e9554378dabb5be26c26c27e807e1

Download Submit
memory/2144-0-0x0000000000850000-0x0000000000877000-memory.dmp

Filesize
156KB

Download
memory/2144-11-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2144-8-0x0000000000850000-0x0000000000877000-memory.dmp

Filesize
156KB

Download
memory/2144-15-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2332-12-0x0000000000D30000-0x0000000000D57000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads