7af059cbc1b65fe92343cb202590d31b4aa590b2e0da81bcf54b1b9dfb759e09

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.36b49078abd7eba9406662d4809e0010.exe
Size

71KB
MD5

36b49078abd7eba9406662d4809e0010
SHA1

58a54f3e3bfbec92294f8e0815ed1cce4b263e88
SHA256

7af059cbc1b65fe92343cb202590d31b4aa590b2e0da81bcf54b1b9dfb759e09
SHA512

5a0dc236b464aec2180baacad27900409f4bf8aeda7c1f57300cf93dbf372aa6a82a43a4f07511202149c2c5301af24ce686070bcd9b1c369d0739d3e7413e84
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlDuazTZS:ZRpAyazIlyazTg

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	NEAS.36b49078abd7eba9406662d4809e0010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	NEAS.36b49078abd7eba9406662d4809e0010.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	NEAS.36b49078abd7eba9406662d4809e0010.exe
Token: SeDebugPrivilege	5004	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 5004	1068	NEAS.36b49078abd7eba9406662d4809e0010.exe	87
PID 1068 wrote to memory of 5004	1068	NEAS.36b49078abd7eba9406662d4809e0010.exe	87
PID 1068 wrote to memory of 5004	1068	NEAS.36b49078abd7eba9406662d4809e0010.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.36b49078abd7eba9406662d4809e0010.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.36b49078abd7eba9406662d4809e0010.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
395KB

MD5
a14a8fa969ab99464b7c6bcceebc91d4

SHA1
20ac5870fd213455ac201db585ba1d5a044756d3

SHA256
178b104c28020216c752e6b87b2c6250da9f3bf33fea672a0a5d18eae793592a

SHA512
413c7709905ef93784e8130df91553121ecdd663204e7304c9325a14b634a2cbffa660ced99c02aff80f4e3661727db3235df825e25d1feee2b1cd5edcb4012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vg8jxyT7SKGrfMn.exe

Filesize
71KB

MD5
069b769ce0f1fd84aba5bbeb12a1d9db

SHA1
dd8cd6de93c351fb8dd697cb2709cb79a5eee855

SHA256
7ef54750273c1f85b25ba0782f5c2b00ca291e7ffee0c7287c3ca6c0b5f435e4

SHA512
3be79a859bf4a35a6bc619e5f8d1c49fbe54784405204ef39c71abdcf80f2d2d6a4642d64bf9888031cac1bedc32a31c2721ec85b3c3404c875eab21def103b8

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f60519a4b9abe303feb4b5b3666a551e

SHA1
d5bb38474958a5f51fb74886482fa44e873898f5

SHA256
6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d

SHA512
3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f60519a4b9abe303feb4b5b3666a551e

SHA1
d5bb38474958a5f51fb74886482fa44e873898f5

SHA256
6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d

SHA512
3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads