295d64429e4a0243a5bead0e06681027a7048abaa85af3ba9e18d318dbbfeeed

General

Target

1e36e5c3a4cdbc682b4a1233228dd600.exe
Size

146KB
MD5

1e36e5c3a4cdbc682b4a1233228dd600
SHA1

4e4dda966079c238eabf39ed1d7372fd2f82a159
SHA256

295d64429e4a0243a5bead0e06681027a7048abaa85af3ba9e18d318dbbfeeed
SHA512

47538f4850815a961f83c9c8c4140e938330c2186bcbda47a389d22aee20d571918b3aefa19bcf793f16a37d4601e43cfb0d2ec0fe256bc3450dfe7cfdb8895b
SSDEEP

3072:Xjr87S7Gnz55EoIE42hEFdnsmfbE316gOCbg:sZl2S44EbzW16gg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2196	4sAFQW7m29oO8A3.exe
2376	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	1e36e5c3a4cdbc682b4a1233228dd600.exe
2040	1e36e5c3a4cdbc682b4a1233228dd600.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000860000-0x0000000000879000-memory.dmp	upx
behavioral1/files/0x000d0000000122c3-16.dat	upx
behavioral1/memory/2040-14-0x0000000000860000-0x0000000000879000-memory.dmp	upx
behavioral1/memory/2376-17-0x0000000000350000-0x0000000000369000-memory.dmp	upx
behavioral1/files/0x0008000000012248-20.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	1e36e5c3a4cdbc682b4a1233228dd600.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	1e36e5c3a4cdbc682b4a1233228dd600.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe
Token: SeDebugPrivilege	2376	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2196	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	28
PID 2040 wrote to memory of 2196	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	28
PID 2040 wrote to memory of 2196	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	28
PID 2040 wrote to memory of 2196	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	28
PID 2040 wrote to memory of 2376	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	29
PID 2040 wrote to memory of 2376	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	29
PID 2040 wrote to memory of 2376	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	29
PID 2040 wrote to memory of 2376	2040	1e36e5c3a4cdbc682b4a1233228dd600.exe	29

C:\Users\Admin\AppData\Local\Temp\1e36e5c3a4cdbc682b4a1233228dd600.exe
"C:\Users\Admin\AppData\Local\Temp\1e36e5c3a4cdbc682b4a1233228dd600.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\4sAFQW7m29oO8A3.exe
  C:\Users\Admin\AppData\Local\Temp\4sAFQW7m29oO8A3.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4sAFQW7m29oO8A3.exe

Filesize
146KB

MD5
4e18ef5d886de9bca4838faf312d046c

SHA1
b6d4e4acd88d5f7be2d46f44630ae19de4c28098

SHA256
8500b7edab6b74da64a5bcac9a4efde500977b45ec40799d9c3393db517a5d88

SHA512
b175ef3f6c101e9c8aa065fbf17be8210e13faa27a4df0ffffc9e437748cc9ff2c5a156197ce5852025dc1d8b624041172683194c1ef9f1f910fe2d5cf9a5b5d

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
546ffd2b72777e6a9e350780b79f99d4

SHA1
a620be74a2f432656e38e51cd02fbdc3e3b312c2

SHA256
c651b378896fad56ddeb1fec2c578a822bbb13269ec881f9420bbf47c9fbfbb5

SHA512
57d49f830f9774ef0a4b6d026211360ea4ebcc6b236b72107401284559c7c589733bccc8af10c5a0cee5b97880d24a4e9954beb81887b1b124f8a42cca456fac

Download Submit
\Users\Admin\AppData\Local\Temp\4sAFQW7m29oO8A3.exe

Filesize
64KB

MD5
e97c622b03fb2a2598bf019fbbe29f2c

SHA1
32698bd1d3a0ff6cf441770d1b2b816285068d19

SHA256
5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

SHA512
db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

Download Submit
memory/2040-0-0x0000000000860000-0x0000000000879000-memory.dmp

Filesize
100KB

Download
memory/2040-14-0x0000000000860000-0x0000000000879000-memory.dmp

Filesize
100KB

Download
memory/2376-17-0x0000000000350000-0x0000000000369000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads