dc58d0c5b8d9d2b26a34d8ac390d0b7ca1ebc7dca0880175a7628075ec3eff49

General

Target

9871568b30a3f1130ef029338c3ece30_JC.exe
Size

120KB
MD5

9871568b30a3f1130ef029338c3ece30
SHA1

4add0a258e32301eb9c211615ea6c4462338d403
SHA256

dc58d0c5b8d9d2b26a34d8ac390d0b7ca1ebc7dca0880175a7628075ec3eff49
SHA512

5bf334d805d4d9c82bc8722075f0b2c5ff2eb0990b490fb8d3a961adfb0a28ed0bd17ce13b3267642f272aff8f35203d5971cef9be50ec610ae019888bcaf3c4
SSDEEP

1536:ocNjQlsWjcd+xzl7SM+Gn824eo6KcR4mjD9r823FuVPy:bjr87S7Gnzbo6KcWmjRrz3q6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1572-0-0x0000000000C70000-0x0000000000C87000-memory.dmp	upx
behavioral1/memory/1572-9-0x0000000000C70000-0x0000000000C87000-memory.dmp	upx
behavioral1/files/0x0032000000015c2f-11.dat	upx
behavioral1/memory/2692-12-0x0000000001270000-0x0000000001287000-memory.dmp	upx
behavioral1/files/0x0032000000015c2f-10.dat	upx
behavioral1/files/0x0032000000015c2f-7.dat	upx
behavioral1/files/0x000f00000001223f-14.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	9871568b30a3f1130ef029338c3ece30_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	9871568b30a3f1130ef029338c3ece30_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	9871568b30a3f1130ef029338c3ece30_JC.exe
Token: SeDebugPrivilege	2692	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2692	1572	9871568b30a3f1130ef029338c3ece30_JC.exe	28
PID 1572 wrote to memory of 2692	1572	9871568b30a3f1130ef029338c3ece30_JC.exe	28
PID 1572 wrote to memory of 2692	1572	9871568b30a3f1130ef029338c3ece30_JC.exe	28
PID 1572 wrote to memory of 2692	1572	9871568b30a3f1130ef029338c3ece30_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\9871568b30a3f1130ef029338c3ece30_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9871568b30a3f1130ef029338c3ece30_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dD8xVA2rfmMa5oR.exe

Filesize
120KB

MD5
92369e8efdc5628bf3afbd088074a118

SHA1
bc91e00c86ba733e339a50414ed5bd74a31f2593

SHA256
f6c62c282e519438816222dfbccedaafd625d3b3f47f52ac6da07ac7db0da58a

SHA512
ed47189841e4e4c0e7fa7814c0088b1de2ba96d7fb8dddca1b2d3c733689d45b3210ded2f05e152760860d8adc4878569399bd9a30de19130ea16d7972fa7e61

Download Submit
C:\Windows\CTS.exe

Filesize
117KB

MD5
90560322e00c64a66ef2099f55ff1f09

SHA1
1404109a21e4656daa9dc570c32e6385b6634344

SHA256
69346cf100b44fce4b64c433efc47601922b255c5d4182f4ecf1fcff1ca05bf4

SHA512
164e6e7654b55727940b212d56df47043f11e612b04cdfbc4c33ad455bbb5b1cece3882acc944cd526f3c5dcd519bcd1d01a3d796e95902bfc680f51dfe74f61

Download Submit
C:\Windows\CTS.exe

Filesize
117KB

MD5
90560322e00c64a66ef2099f55ff1f09

SHA1
1404109a21e4656daa9dc570c32e6385b6634344

SHA256
69346cf100b44fce4b64c433efc47601922b255c5d4182f4ecf1fcff1ca05bf4

SHA512
164e6e7654b55727940b212d56df47043f11e612b04cdfbc4c33ad455bbb5b1cece3882acc944cd526f3c5dcd519bcd1d01a3d796e95902bfc680f51dfe74f61

Download Submit
C:\Windows\CTS.exe

Filesize
117KB

MD5
90560322e00c64a66ef2099f55ff1f09

SHA1
1404109a21e4656daa9dc570c32e6385b6634344

SHA256
69346cf100b44fce4b64c433efc47601922b255c5d4182f4ecf1fcff1ca05bf4

SHA512
164e6e7654b55727940b212d56df47043f11e612b04cdfbc4c33ad455bbb5b1cece3882acc944cd526f3c5dcd519bcd1d01a3d796e95902bfc680f51dfe74f61

Download Submit
memory/1572-0-0x0000000000C70000-0x0000000000C87000-memory.dmp

Filesize
92KB

Download
memory/1572-8-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1572-9-0x0000000000C70000-0x0000000000C87000-memory.dmp

Filesize
92KB

Download
memory/1572-16-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2692-12-0x0000000001270000-0x0000000001287000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads