66f18e5d7e077c1c819fba5bb448d235333b6e7ed29166a98ea0764c547d906c

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
Size

359KB
MD5

f9a7cadb3e1749b73b1304d47ef88070
SHA1

10c4632ebb569100abe57450a021ecfe2019de64
SHA256

66f18e5d7e077c1c819fba5bb448d235333b6e7ed29166a98ea0764c547d906c
SHA512

f0c83c9edc7511b6d4b2f00ba7a5d3aef01ee98f6bfba036fcbc861aaa1aeb695789688d3ed7c7202d15330ba6d9f193d0492b9c35de7a6548f22d249a6a0ce9
SSDEEP

6144:hZMaz/pUhrG7PEuXYEpHlN9kAGxsOSVkSqOGHhkeb6IFJ3S7bk9dAMXNhl7:hS0/paG7oCnpkS8qeb6XgUmNhV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
984	dSDyVhNp5BN0K3a.exe
2624	CTS.exe
2364	dxwsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	dxwsetup.exe
2364	dxwsetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dSDyVhNp5BN0K3a.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETFD5B.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETFD5B.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETFDBA.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETFDBA.tmp	dxwsetup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File created	C:\Windows\CTS.exe	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
Token: SeDebugPrivilege	2624	CTS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 984	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	86
PID 3224 wrote to memory of 984	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	86
PID 3224 wrote to memory of 984	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	86
PID 3224 wrote to memory of 2624	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	88
PID 3224 wrote to memory of 2624	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	88
PID 3224 wrote to memory of 2624	3224	NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe	88
PID 984 wrote to memory of 2364	984	dSDyVhNp5BN0K3a.exe	90
PID 984 wrote to memory of 2364	984	dSDyVhNp5BN0K3a.exe	90
PID 984 wrote to memory of 2364	984	dSDyVhNp5BN0K3a.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f9a7cadb3e1749b73b1304d47ef88070_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exe
  C:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2364
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
e434d25828c32b820288140ba9df1ff4

SHA1
706c8b47c963a73cc2f080fc847180438561f020

SHA256
096931e0e50fbb3d67ad0ac7d98ccfbfec188b98f5b4e9215e2a777f17486d9f

SHA512
bd78d1f73020b0d9f67e2e0e79b3e7553e6232d0d6b8e1a5d36dc96d9aa9751bc4889617b210b3c51bf391b5321ab00a27a21b91546cbb09b4c0cdd3469ff13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSDyVhNp5BN0K3a.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads