9c3efb0fbb77ff76d63a978cbbf6772f390149e42f3c4284456c70382865b759

Analysis

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba1cdda6016f6bc48245c20fc242b810.exe
Size

912KB
MD5

ba1cdda6016f6bc48245c20fc242b810
SHA1

d5de7e0a9d06308687a0c21614d2f73c2bc6e885
SHA256

9c3efb0fbb77ff76d63a978cbbf6772f390149e42f3c4284456c70382865b759
SHA512

5ec8764f4ce23d6b3ec8e2e25df97dc4fb021d171e576c29ced70ccd93b8d72d4865dbb66ffed252b6bef20431998cba527e14b0de4ae30d61b95c8c63c74c31
SSDEEP

24576:/Q/xFf1SeovowhaxZMPjtUPqDuzvknrikFLRZJ:/Q/bdSeoMZM5SqDevgiql

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2980	8DX06QAfmlJMl8C.exe
1240	CTS.exe
2764	8DX06QAfmlJMl8C.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	ba1cdda6016f6bc48245c20fc242b810.exe
2980	8DX06QAfmlJMl8C.exe
2764	8DX06QAfmlJMl8C.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-0-0x0000000001390000-0x00000000013A7000-memory.dmp	upx
behavioral1/files/0x003000000001562f-11.dat	upx
behavioral1/memory/1240-16-0x0000000001340000-0x0000000001357000-memory.dmp	upx
behavioral1/memory/2016-13-0x0000000001390000-0x00000000013A7000-memory.dmp	upx
behavioral1/memory/2016-12-0x0000000001340000-0x0000000001357000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	ba1cdda6016f6bc48245c20fc242b810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	ba1cdda6016f6bc48245c20fc242b810.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	ba1cdda6016f6bc48245c20fc242b810.exe
Token: SeDebugPrivilege	1240	CTS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 2980	2016	ba1cdda6016f6bc48245c20fc242b810.exe	28
PID 2016 wrote to memory of 1240	2016	ba1cdda6016f6bc48245c20fc242b810.exe	29
PID 2016 wrote to memory of 1240	2016	ba1cdda6016f6bc48245c20fc242b810.exe	29
PID 2016 wrote to memory of 1240	2016	ba1cdda6016f6bc48245c20fc242b810.exe	29
PID 2016 wrote to memory of 1240	2016	ba1cdda6016f6bc48245c20fc242b810.exe	29
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30
PID 2980 wrote to memory of 2764	2980	8DX06QAfmlJMl8C.exe	30

C:\Users\Admin\AppData\Local\Temp\ba1cdda6016f6bc48245c20fc242b810.exe
"C:\Users\Admin\AppData\Local\Temp\ba1cdda6016f6bc48245c20fc242b810.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\8DX06QAfmlJMl8C.exe
  C:\Users\Admin\AppData\Local\Temp\8DX06QAfmlJMl8C.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe
    "C:\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\8DX06QAfmlJMl8C.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2764
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8DX06QAfmlJMl8C.exe

Filesize
764KB

MD5
222cda2984ba67f9905cbc2b77a07469

SHA1
faa8ca054e2619e18a484eaf217ccc3c66c895da

SHA256
1657aa5ef284c9174a8450b661a255f9f6511be91e38df780e4abd788bc0ce21

SHA512
41d55732ae94e76633dc38671758cbe75ba245f214c5dd56ad2a4e65d890fc1be6b249d14e7cc5a3ae3fe91fc1dfe1d90616a193dd1f5c8e2f2373500446f26f

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
22069d1278ebf7d1758e20c4b118c39a

SHA1
cfd6c00953bc91dfa91a809e99a230b0ad222eec

SHA256
c4875ef691c5e0dbcdc5dd700f610042ec63e251f184150eeb3e7ab1dde3c9ba

SHA512
7ffbb4fce2779e7dc7ea19773a843eb174eb9e8dfc136a45ce8606c6c1657887f73409bfc780c391fe38dacc56c8a6ca4f84d3656236d631b42ec2946346b61d

Download Submit
C:\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe

Filesize
401KB

MD5
ac1fb671c419a3cf526d9d3e991f4366

SHA1
94613bbbe2023b3e9fd56733d764b97ea1763301

SHA256
340f4b12f0a97dd79b8070f3b283b0c342865e34ba848da6fc7999acc379171b

SHA512
dd4307b732f4a0112bd616e68726bb3c8fe60f13ddee62fb2f9719fc2409f363f5cc7bf6dcbfcc42bc8449918ebc2d90d5d5e5260cd741dfab949cc529719f25

Download Submit
C:\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe

Filesize
520KB

MD5
a7173d660c34210c0d5bd07330e8c903

SHA1
562e3008939cbba7998aefb349466fb0df506282

SHA256
0829ca0d38bdf2f8008e75bb0651507f92a817de1a77a0dab0ad137fbd2cd055

SHA512
cfbc118effe8d3051a131680df08c783c44d773114f7d4de31200c203de4e43eec7b0ee783a9597a03f6177abe19f15f107d150a0c5b2e0c7069af8f57776ece

Download Submit
C:\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe

Filesize
443KB

MD5
2718e409bb5fb30f4cc3bfe23d686b7d

SHA1
0714352e5b81a4ffeb4d89f3c2dccc6b62bc493d

SHA256
f1b8ba4d9899df4dc638c265d5de99a48f456618a2f1148030134fd7a51cd2fa

SHA512
50ba220004606c9425fa72a1f4dd8791f384bcfb9020acc3ec4533380d276f7cb30f8edadf84d18093d46dd1742b9d5c1db730e845ab1fcfceab3f62205a39dd

Download Submit
C:\Windows\Temp\{58240E2F-D29E-41D3-9AC3-46C70B1331A5}\.ba\SideBar.png

Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
\Users\Admin\AppData\Local\Temp\8DX06QAfmlJMl8C.exe

Filesize
841KB

MD5
f33aac555c5e5a2c10d07e3bbf9a9e82

SHA1
75fa5322fdc00223246bc70fcb6772ae9f10e97c

SHA256
8977d454b74e2abbafc3be6a3b2e7946d1cde530d742235bc1e5cc229e231aa6

SHA512
a64d465c327cd3799044fa1e8786812e055b72aea7faeac66916c7cf1f762bb919d211060cc7944b84037c316babb796ef449d1049a162d8faa51b08d05cef34

Download Submit
\Windows\Temp\{3836FECB-938F-4EF3-9A9C-4E8941187831}\.cr\8DX06QAfmlJMl8C.exe

Filesize
458KB

MD5
ce1fa6eab56ba181862b8f7c2ab8a7eb

SHA1
4205f9841ecb0781d822fd94bd18e8d3573c1dc9

SHA256
2c1d77ecd8f943b6fdc04f8e2241bc949628e4795196099264e5a1e7d0207da8

SHA512
701e78897759773101557bca266068ff3aec8e3f5e1611fbd5fba84cf304e46c939d60461f682b046731aa2b5c395830e7a4c24b04a0f91dd6012701a9fdeaa0

Download Submit
\Windows\Temp\{58240E2F-D29E-41D3-9AC3-46C70B1331A5}\.ba\PythonBA.dll

Filesize
504KB

MD5
eceacbabccdd5004ddc2d489ea2af763

SHA1
5cec43ea31f41b8a411729eb0bed804f25a4f112

SHA256
5dbebfdd9e20230e37cdfae429b52accb5898314cfc6220b7ee1751946a9c443

SHA512
83240f70da834bf399d2b6235b0ba91049b20c8a79c9ca9a5e14f986b527a2bbef44365553d210f8a0ac0c8b9039cb1934bd809413bd7839f3110d0c5e1a9070

Download Submit
memory/1240-16-0x0000000001340000-0x0000000001357000-memory.dmp

Filesize
92KB

Download
memory/2016-13-0x0000000001390000-0x00000000013A7000-memory.dmp

Filesize
92KB

Download
memory/2016-12-0x0000000001340000-0x0000000001357000-memory.dmp

Filesize
92KB

Download
memory/2016-0-0x0000000001390000-0x00000000013A7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads