d2a502e187f0b01a993c99f454abd6d845e10b74ae0f59a4dc76da3b6aeaa04e

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.71aea8ff0ed54605c3e575790744f3b0.exe
Size

59KB
MD5

71aea8ff0ed54605c3e575790744f3b0
SHA1

a7423afc0434b017f00b1983c33dccb7303b4cb2
SHA256

d2a502e187f0b01a993c99f454abd6d845e10b74ae0f59a4dc76da3b6aeaa04e
SHA512

5281a19223daef244e4b63ab9500e045aebadfac196940834aeac777defa2b73155cfe088b8f31257ef6b3560924b152cfb103fc370d9d50681c3410d23d41d7
SSDEEP

768:XoNK2cNW0QbRsWjcd+6yBFLqJ4Z8qx70RM8/O/B2ZZcLRAeoWu:KcNjQlsWjcd+xzl7SMQ2Aeo1

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe
Token: SeDebugPrivilege	2720	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2720	2392	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe	28
PID 2392 wrote to memory of 2720	2392	NEAS.71aea8ff0ed54605c3e575790744f3b0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.71aea8ff0ed54605c3e575790744f3b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.71aea8ff0ed54605c3e575790744f3b0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rUfyJ4Lwpu3MFwF.exe

Filesize
59KB

MD5
90bf214365af2c92e5b8294a3e75bdaf

SHA1
56f66e9331d5727013e834f8b9b22ff2bbe7a6cd

SHA256
03973d7dc8b2055487862860e0cde5e4f869aeda2037da80a6d727bc5da7c469

SHA512
a5f66005208b7627b98d1c7032c15c278d67e036b94bad7c7c60b5fcd5b858fb4fad0793b7cc692b395ae8133f10f021af2098b59d82300b08d6b1a1f0757f7b

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
a7013fd980137854a484ddae4db165c5

SHA1
726b485772138de438aa549bcd271e74cc155969

SHA256
cae4dd6e200b11cc20962b41914be7a9c5c732e88d54169b42f010b48c5b2431

SHA512
f1e8fad2ebadd68f86b6010ec65144f40003c646aac36ca2ae0d9060b6fb688be8241a401b507633ff7633ed6713294d15122b5561cd1b0a7c4cdda8458912ee

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
a7013fd980137854a484ddae4db165c5

SHA1
726b485772138de438aa549bcd271e74cc155969

SHA256
cae4dd6e200b11cc20962b41914be7a9c5c732e88d54169b42f010b48c5b2431

SHA512
f1e8fad2ebadd68f86b6010ec65144f40003c646aac36ca2ae0d9060b6fb688be8241a401b507633ff7633ed6713294d15122b5561cd1b0a7c4cdda8458912ee

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
a7013fd980137854a484ddae4db165c5

SHA1
726b485772138de438aa549bcd271e74cc155969

SHA256
cae4dd6e200b11cc20962b41914be7a9c5c732e88d54169b42f010b48c5b2431

SHA512
f1e8fad2ebadd68f86b6010ec65144f40003c646aac36ca2ae0d9060b6fb688be8241a401b507633ff7633ed6713294d15122b5561cd1b0a7c4cdda8458912ee

Download Submit
memory/2392-0-0x0000000000D90000-0x0000000000DA3000-memory.dmp

Filesize
76KB

Download
memory/2720-9-0x00000000009B0000-0x00000000009C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads