b3d19b69a733cabe5c029148116ff8a4dec8e116edc53aca2e9b2c85b968c484

General

Target

150cd612e03b6367513df71d47ae24db.exe
Size

1.0MB
MD5

150cd612e03b6367513df71d47ae24db
SHA1

9f9e40900c07b27154f80640a07d5fd5e4983141
SHA256

b3d19b69a733cabe5c029148116ff8a4dec8e116edc53aca2e9b2c85b968c484
SHA512

d2487c159bea733e0e57da631b5a2e1abe2e843effaa82534fc1c92bddee059b5250893543963ed45051ca1304182ede88ba50481206c62f553098ca7f083f61
SSDEEP

24576:h0wqqnqw4ZRj6p5O33pMdOXQj16DEgeDOfPTcmOUSaQij/Vc:h0wj3pypMcXG6XeD+PAmObaQWVc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3332	ZIloBrdIpHZ0vJm.exe
1876	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2308-0-0x0000000000D80000-0x0000000000D97000-memory.dmp	upx
behavioral2/memory/1876-8-0x0000000000710000-0x0000000000727000-memory.dmp	upx
behavioral2/files/0x0007000000023202-7.dat	upx
behavioral2/memory/2308-9-0x0000000000D80000-0x0000000000D97000-memory.dmp	upx
behavioral2/files/0x000400000001e6ff-13.dat	upx
behavioral2/memory/1876-31-0x0000000000710000-0x0000000000727000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	150cd612e03b6367513df71d47ae24db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	150cd612e03b6367513df71d47ae24db.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	150cd612e03b6367513df71d47ae24db.exe
Token: SeDebugPrivilege	1876	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3332	2308	150cd612e03b6367513df71d47ae24db.exe	56
PID 2308 wrote to memory of 3332	2308	150cd612e03b6367513df71d47ae24db.exe	56
PID 2308 wrote to memory of 1876	2308	150cd612e03b6367513df71d47ae24db.exe	66
PID 2308 wrote to memory of 1876	2308	150cd612e03b6367513df71d47ae24db.exe	66
PID 2308 wrote to memory of 1876	2308	150cd612e03b6367513df71d47ae24db.exe	66

C:\Users\Admin\AppData\Local\Temp\150cd612e03b6367513df71d47ae24db.exe
"C:\Users\Admin\AppData\Local\Temp\150cd612e03b6367513df71d47ae24db.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\ZIloBrdIpHZ0vJm.exe
  C:\Users\Admin\AppData\Local\Temp\ZIloBrdIpHZ0vJm.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
352KB

MD5
64963c3d8f304cca6d1528941181d684

SHA1
e9bea151405c7a13cf9c3d297b990453eb4aef07

SHA256
b1df0fdf37778122b680cec989c890597e2a14c9da7ce4b6933b0ed4473916e1

SHA512
751612b7c7c95cb9800c6e8282e5f1136ce4e36d2658e073d94fe948f3b298d0fd788523f089604bb0ab221e7d2d871f1f319697f0185d2694990c69d3c6fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIloBrdIpHZ0vJm.exe

Filesize
679KB

MD5
088d72e30eb7a6fb5751c8b82d1973a2

SHA1
a044597f372b3e546a5307d49e86df474eb05608

SHA256
2ffcefbb4e10636e90658346a9e8f6e7a8481506ae1006e33399ae604673c44c

SHA512
1d16ff7406163f8165735ec47ebfeb4f456d82650009ed99d1b689a7795f2e65058e9a67c0f0dc80e719d6ab79ff45e7be868292230a382dd0d1ddf5cdbb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIloBrdIpHZ0vJm.exe

Filesize
1.0MB

MD5
1d4b392017a25e885245d2ff2a18937e

SHA1
dc915d8b0602cbd078bde1e1466d026aa344cee5

SHA256
da779f3254692c741750b2cbeeb8aa83ef9aa3c381084681a2e512b1671767ff

SHA512
083b3050af2be7be3879392359ba8e266564679c97128c792071587868ec16681d486aeb6abe0e3b31c8e516306c6632dad5b8360caded72c3d20fe4a7c4c3a3

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/1876-8-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/1876-31-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/2308-0-0x0000000000D80000-0x0000000000D97000-memory.dmp

Filesize
92KB

Download
memory/2308-9-0x0000000000D80000-0x0000000000D97000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads