e2e51d522e01975b53b9ae5c653266104cd7b316f7cb9426a60417f1f8a32edf

General

Target

NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
Size

174KB
MD5

09caa1b0db3d99a58bd2ee2d402ae020
SHA1

a1f8fdfc7c87cb8b7f1e9fc15bcd7b5210593a9e
SHA256

e2e51d522e01975b53b9ae5c653266104cd7b316f7cb9426a60417f1f8a32edf
SHA512

9ba56ccd2b126c469d2695459643abee81912de3e4417ac88f3a60de1732f378496c65b9abf39c218e4c32d7d11bb09e457d4307bedb9694d54fa070b6dbdd27
SSDEEP

3072:ZxpAyazIlyazTYBFiOhdWnXL430j3oVZnf8MgFuQlsQfA8PEJ:RZMazEDdWn8kj3oDUMgFuQlvGJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2596	gumL68AhcnBD518.exe
2732	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
836	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
Token: SeDebugPrivilege	2732	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2596	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	28
PID 2692 wrote to memory of 2596	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	28
PID 2692 wrote to memory of 2596	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	28
PID 2692 wrote to memory of 2596	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	28
PID 2692 wrote to memory of 2732	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	30
PID 2692 wrote to memory of 2732	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	30
PID 2692 wrote to memory of 2732	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	30
PID 2692 wrote to memory of 2732	2692	NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.09caa1b0db3d99a58bd2ee2d402ae020_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe
  C:\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe

Filesize
103KB

MD5
5a901b21550595c3d6c9820534e0d023

SHA1
39a5a2464ad897d4dc135b85440d86f82ee30155

SHA256
7adc240140487929587aac46639aae378c76dc41d9ed32b8b63e3cc8ee862536

SHA512
05b148152bce7b10511cf9f5deea9c9008b419ea8f82ccc6f8ce368b1737a9d374e244eb2205958032458b445c73e5203742aa38881cb8bdeed8c227b66e8d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe

Filesize
103KB

MD5
5a901b21550595c3d6c9820534e0d023

SHA1
39a5a2464ad897d4dc135b85440d86f82ee30155

SHA256
7adc240140487929587aac46639aae378c76dc41d9ed32b8b63e3cc8ee862536

SHA512
05b148152bce7b10511cf9f5deea9c9008b419ea8f82ccc6f8ce368b1737a9d374e244eb2205958032458b445c73e5203742aa38881cb8bdeed8c227b66e8d86

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe

Filesize
103KB

MD5
5a901b21550595c3d6c9820534e0d023

SHA1
39a5a2464ad897d4dc135b85440d86f82ee30155

SHA256
7adc240140487929587aac46639aae378c76dc41d9ed32b8b63e3cc8ee862536

SHA512
05b148152bce7b10511cf9f5deea9c9008b419ea8f82ccc6f8ce368b1737a9d374e244eb2205958032458b445c73e5203742aa38881cb8bdeed8c227b66e8d86

Download Submit
\Users\Admin\AppData\Local\Temp\gumL68AhcnBD518.exe

Filesize
103KB

MD5
5a901b21550595c3d6c9820534e0d023

SHA1
39a5a2464ad897d4dc135b85440d86f82ee30155

SHA256
7adc240140487929587aac46639aae378c76dc41d9ed32b8b63e3cc8ee862536

SHA512
05b148152bce7b10511cf9f5deea9c9008b419ea8f82ccc6f8ce368b1737a9d374e244eb2205958032458b445c73e5203742aa38881cb8bdeed8c227b66e8d86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads