59b75e2d828bd41b3bc702b640caf86f158ebf9450e464ca80e25d3475d0bf21

Analysis

max time kernel
141s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75825bbdbe90fa33168a5e02458d45a9.exe
Size

290KB
MD5

75825bbdbe90fa33168a5e02458d45a9
SHA1

22d1fa69017a53414ccd69cd9759178be952d163
SHA256

59b75e2d828bd41b3bc702b640caf86f158ebf9450e464ca80e25d3475d0bf21
SHA512

90441b32cf882c07bf613571db24d233fefb129f68e428efafef7dc0c55c09b27000c9de85bfe590f41ea0c45f663ff8c9b643350475efa55c2cc5a2e9fd07d3
SSDEEP

6144:/CBv9kgFL47m/w3Ld1KrYXslxaW3pyJfU:/CBv6weseLruxctU

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4336	kSpCEVAPEDfRgbG.exe
4628	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4080-0-0x0000000000600000-0x0000000000617000-memory.dmp	upx
behavioral2/memory/4080-8-0x0000000000600000-0x0000000000617000-memory.dmp	upx
behavioral2/memory/4628-10-0x0000000000550000-0x0000000000567000-memory.dmp	upx
behavioral2/files/0x000f000000023164-9.dat	upx
behavioral2/files/0x0003000000022764-13.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	75825bbdbe90fa33168a5e02458d45a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	75825bbdbe90fa33168a5e02458d45a9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	75825bbdbe90fa33168a5e02458d45a9.exe
Token: SeDebugPrivilege	4628	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4336	4080	75825bbdbe90fa33168a5e02458d45a9.exe	22
PID 4080 wrote to memory of 4336	4080	75825bbdbe90fa33168a5e02458d45a9.exe	22
PID 4080 wrote to memory of 4628	4080	75825bbdbe90fa33168a5e02458d45a9.exe	20
PID 4080 wrote to memory of 4628	4080	75825bbdbe90fa33168a5e02458d45a9.exe	20
PID 4080 wrote to memory of 4628	4080	75825bbdbe90fa33168a5e02458d45a9.exe	20

C:\Users\Admin\AppData\Local\Temp\75825bbdbe90fa33168a5e02458d45a9.exe
"C:\Users\Admin\AppData\Local\Temp\75825bbdbe90fa33168a5e02458d45a9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\kSpCEVAPEDfRgbG.exe
  C:\Users\Admin\AppData\Local\Temp\kSpCEVAPEDfRgbG.exe
  2⤵
  - Executes dropped EXE
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
51KB

MD5
19ff0db47f25243166fa06b0cb4dd4a9

SHA1
e0585006e17cd19679b46ce2756d26a5d23c4109

SHA256
3919a4502d8112b45cbf4c9cd33705e7c5986850fb4321de6db8b9d25544d134

SHA512
f670cd06c86399ede26dc63361ba6170780c1490fc122aa5e66c03089519ee4595262f3bcab6cff7a327530dd3bf8388af5f75f7a37055e376759c157fa15d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSpCEVAPEDfRgbG.exe

Filesize
38KB

MD5
157de993246a171ac1da71f8998f5276

SHA1
1cce7de5133d7eb845ea5f5410baecde95ee2bae

SHA256
a609e9a29c69cc3e3f829b8fb6c3a2808b08171728153148f441a25cf6daccd1

SHA512
205d0df2e0114981425e16f487a7a75e36018be19297d6c28c22e6f441d405217f476e71e6504d3e5f23c6299340c7613a9fcf000b69b8782ea215f8f99605ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSpCEVAPEDfRgbG.exe

Filesize
100KB

MD5
c342255316a671049bbf2f95fbd82267

SHA1
b32f7ece08362d6dcb8495c773f198257b3c0c75

SHA256
b6b74f6ead043e3610acf1aac431041cee98fe6067735d24e58296f7c2e2c668

SHA512
7fc6ff26b084182ee0e08e9397bb67d426a14d76b93cc36650a1fcf6d27dcd1c2b5876298a14d09676684e7107063bbfcf8cb248c918fcd00ad13dbde5c7a939

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
57dc894376d6ffbf9af1929bd6688b6c

SHA1
cf5f1891e39142f13d3f007e2957a0d302efafff

SHA256
25001e3946468d3aa0f86f1ae322fb8354fc1c96052227346c41fb12d63fa129

SHA512
922c081df01cdcaef8cf91a484bdfe1c412a5e716aada86b3f3f61e020173cc9bd8318c072eff7f59140687fdaf3a722d62fc4c56891f906797a909da311dab1

Download Submit
memory/4080-0-0x0000000000600000-0x0000000000617000-memory.dmp

Filesize
92KB

Download
memory/4080-8-0x0000000000600000-0x0000000000617000-memory.dmp

Filesize
92KB

Download
memory/4628-10-0x0000000000550000-0x0000000000567000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads