4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52

General

Target

0938b53cbd901f8218bcd01116312f8a.exe
Size

42KB
MD5

0938b53cbd901f8218bcd01116312f8a
SHA1

8feb5285db9078d12456f604d6c1b1f44b99f8c9
SHA256

4109262ae0fc39424e57cc6eb837db2c4c4e17e32ab4554f7ee43f35262d5b52
SHA512

ae4e348ed72dde2e98fd3404d59d9ac4b2fb49d7a5b5855d9946bd1932372f788b915b520b85021313ec159bb19fd897ba7575a901012a2cad5e9f07dade0bda
SSDEEP

768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFHnqoJF4h9949XJqfyD:SKcR4mjD9r823FHqc2hu+yD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2120	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-1-0x0000000000140000-0x0000000000157000-memory.dmp	upx
behavioral1/memory/2344-9-0x0000000000140000-0x0000000000157000-memory.dmp	upx
behavioral1/memory/2120-12-0x0000000000F40000-0x0000000000F57000-memory.dmp	upx
behavioral1/files/0x000e0000000126a6-11.dat	upx
behavioral1/files/0x000e0000000126a6-10.dat	upx
behavioral1/files/0x000b00000001226e-14.dat	upx
behavioral1/memory/2344-5-0x0000000000070000-0x0000000000087000-memory.dmp	upx
behavioral1/files/0x000e0000000126a6-8.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0938b53cbd901f8218bcd01116312f8a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	0938b53cbd901f8218bcd01116312f8a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	0938b53cbd901f8218bcd01116312f8a.exe
Token: SeDebugPrivilege	2120	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2120	2344	0938b53cbd901f8218bcd01116312f8a.exe	14
PID 2344 wrote to memory of 2120	2344	0938b53cbd901f8218bcd01116312f8a.exe	14
PID 2344 wrote to memory of 2120	2344	0938b53cbd901f8218bcd01116312f8a.exe	14
PID 2344 wrote to memory of 2120	2344	0938b53cbd901f8218bcd01116312f8a.exe	14

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe
"C:\Users\Admin\AppData\Local\Temp\0938b53cbd901f8218bcd01116312f8a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lav4mfs6j0EZUi6.exe

Filesize
42KB

MD5
328955d012857bf5880e0b84979f4f3f

SHA1
6b4b7f27300a13e1ea6cc2a8c5b134af09afb644

SHA256
9ca47e4e23b1a2f2c8643aa825504f9f4c4e2731ec27096c50d094a95b55bd33

SHA512
0f25c81eb14dc2a96c3ca53eefe3f2991ee285f7b4b66872928f03fcc961917e50e0512133ed323d07cb6759ee48926e932491be952af38c09a88e33d0def140

Download Submit
C:\Windows\CTS.exe

Filesize
1KB

MD5
0859db8e0dd402c618fb5f557f761b2a

SHA1
5d7eecfaffa59685cf7816f532ad4a031ea17c0b

SHA256
2da091816b2151449d2f65c8190862c2848bf39f57ac60a7582307ba769f4f29

SHA512
c1f345ecf0ee5592c84bdf2c0d173bb63d4605b04096d4ac4b7f0187a6c7d4391cd5f71accbb3aa3192a8079c0373f90919d78364c0db8042976347e3bb79f50

Download Submit
C:\Windows\CTS.exe

Filesize
24KB

MD5
154e54e3d0b8cc52ec474cd4a2e69f14

SHA1
2aec01c9734e3298c6bb33d091ce9cb7b9020c7e

SHA256
3818a0cac1623e0a0dbe4378aab67de7550631fe0e318d1ccf330ff2c6aa86b3

SHA512
e05573bf9c3a4023eb81b2a42c5b6b39286fbbb97106cc62a09cf0e0b801117e71edad591041fd7cf6620f70a8cc0a4d6465a467f69c379eea0e6794bc45cd2f

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/2120-12-0x0000000000F40000-0x0000000000F57000-memory.dmp

Filesize
92KB

Download
memory/2344-1-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2344-9-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2344-5-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download
memory/2344-18-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads