d78bfa2a5b36e21a96eba053882465f0950ce5fdf1b5f4ab6c00a5e56faa2c78

General

Target

03019ca8a4cab959ba202bba1990a3ff.exe
Size

103KB
MD5

03019ca8a4cab959ba202bba1990a3ff
SHA1

24ebcfbe2687d451831e0f146bfa3cad0037b1e0
SHA256

d78bfa2a5b36e21a96eba053882465f0950ce5fdf1b5f4ab6c00a5e56faa2c78
SHA512

310604f051ce8ae6e3338140d5c692ca41f2b6b133e42332bd58d48fc36ccd74dfc54c48c1bb7293aa7b178eb05986ce44d62f99e16fe792a9f84e58c3ba8daa
SSDEEP

3072:sr3KcWmjRrzSw4Sg7/2PHoF/hEXCqROe0Dzj:/x/iHouC+t0Dzj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4672	OWSrr5hZrNFVwCP.exe
3620	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/488-0-0x0000000000120000-0x0000000000137000-memory.dmp	upx
behavioral2/memory/488-9-0x0000000000120000-0x0000000000137000-memory.dmp	upx
behavioral2/memory/3620-8-0x00000000004F0000-0x0000000000507000-memory.dmp	upx
behavioral2/files/0x0007000000023214-7.dat	upx
behavioral2/files/0x0007000000023214-6.dat	upx
behavioral2/files/0x0005000000022717-13.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	03019ca8a4cab959ba202bba1990a3ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	03019ca8a4cab959ba202bba1990a3ff.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	488	03019ca8a4cab959ba202bba1990a3ff.exe
Token: SeDebugPrivilege	3620	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 4672	488	03019ca8a4cab959ba202bba1990a3ff.exe	21
PID 488 wrote to memory of 4672	488	03019ca8a4cab959ba202bba1990a3ff.exe	21
PID 488 wrote to memory of 4672	488	03019ca8a4cab959ba202bba1990a3ff.exe	21
PID 488 wrote to memory of 3620	488	03019ca8a4cab959ba202bba1990a3ff.exe	25
PID 488 wrote to memory of 3620	488	03019ca8a4cab959ba202bba1990a3ff.exe	25
PID 488 wrote to memory of 3620	488	03019ca8a4cab959ba202bba1990a3ff.exe	25

C:\Users\Admin\AppData\Local\Temp\03019ca8a4cab959ba202bba1990a3ff.exe
"C:\Users\Admin\AppData\Local\Temp\03019ca8a4cab959ba202bba1990a3ff.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exe
  C:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
57KB

MD5
c195b79e5712f38b3706f63190b1f3ea

SHA1
dcce28a83366002ad254779a44d5d0e61d4862fe

SHA256
0f03dab1cb32190b84bf3cf7ce7c2ee73c2c47eddb7affc0b081dcf6783acf70

SHA512
64cbf8ac4fd5ac386e1caebece44218bae7cad6e683453ed8024ecc5704eb5d12cb9ba090daa241224ee5d4b773c6d06c631e2cf3d5b1db6cd92043265ccca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exe

Filesize
64KB

MD5
8163f3510e8127b50641a08542519933

SHA1
4e411a187a5e06dbac00b5d4b92effedbef257f7

SHA256
4a02f0433da057a8607c168ba5755d4f0f3eda73f2cdcf32f26821e25a59961a

SHA512
bbd0e2a427015fee64c8d24787e80a7999769935323636db8bd72b2cecb4264bd9fe12614f38ca880a8e142b7d50f1f51dbdfcdfaa59b5725b94c3f0e5fc6231

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWSrr5hZrNFVwCP.exe

Filesize
5KB

MD5
0d51b592564faf26be91b697b8c2e336

SHA1
a5b5ba186c723535455a59d53c42d46bb1fc6368

SHA256
d2a57890046872488701be9bee16ad76ff85aac04b3a81287a46f0c9b0cd63b6

SHA512
9deb2c3f292fbdaf6d62bb105a9943fbe9287656b6b4531fba78ef87657b9af2d07b897f079139c57859686c606a8a4a72cc714fde3de064e05e05c5fff7f2e0

Download Submit
C:\Windows\CTS.exe

Filesize
26KB

MD5
6937040182e71cb4cfaa2fa206d6b425

SHA1
84419081ccfee401a562fd5855581533d86ed7c6

SHA256
b5ab0495d5f6fdb358ebbb655e9e9cfbf80461b35f5baa3aeb8bb6ebfd9d431f

SHA512
f2f9ded4c0ad22e41c4d0a10d3e44dd272b303264078c06258d6c3d9adb392687d5b1ac1507b3ef8e9e3376f93f03f7cae9bdb5644d051ec9230bbf5ae111285

Download Submit
C:\Windows\CTS.exe

Filesize
35KB

MD5
93e5f18caebd8d4a2c893e40e5f38232

SHA1
fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

SHA256
a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

SHA512
986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

Download Submit
memory/488-0-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/488-9-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/3620-8-0x00000000004F0000-0x0000000000507000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads