Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:41
Behavioral task
behavioral1
Sample
2a6a35dd6204faf86248fa5f671dc04d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2a6a35dd6204faf86248fa5f671dc04d.exe
Resource
win10v2004-20231215-en
General
-
Target
2a6a35dd6204faf86248fa5f671dc04d.exe
-
Size
115KB
-
MD5
2a6a35dd6204faf86248fa5f671dc04d
-
SHA1
0b867d6f62ccc5d6e72cf0274299fec4856ad686
-
SHA256
9425ccfb3911b1af58bf9aea6e9d7e0aa3e9bf95de26dbb8f70c4f0316e572e3
-
SHA512
c73a4a8e15d491973f78aca42055982f61f44f8eee6762b71ef822acd479f5c91d0706ab2d67e1c7ab8aa765111b87a9a2b30962531deae8ee64945f47277fa3
-
SSDEEP
3072:SKcWmjRrz3ZKcWmjRrz30272yx/Jqr8Je2dd4f5+X1:hGyGfFi8s2du+X1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4392 waPtvvx2KWuOesU.exe 4412 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4752-0-0x0000000000890000-0x00000000008A7000-memory.dmp upx behavioral2/memory/4412-9-0x0000000000610000-0x0000000000627000-memory.dmp upx behavioral2/files/0x00070000000231f4-8.dat upx behavioral2/files/0x00070000000231f4-7.dat upx behavioral2/memory/4752-6-0x0000000000890000-0x00000000008A7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2a6a35dd6204faf86248fa5f671dc04d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 2a6a35dd6204faf86248fa5f671dc04d.exe File created C:\Windows\CTS.exe CTS.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4752 2a6a35dd6204faf86248fa5f671dc04d.exe Token: SeDebugPrivilege 4412 CTS.exe Token: SeBackupPrivilege 1848 dw20.exe Token: SeBackupPrivilege 1848 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4752 wrote to memory of 4392 4752 2a6a35dd6204faf86248fa5f671dc04d.exe 23 PID 4752 wrote to memory of 4392 4752 2a6a35dd6204faf86248fa5f671dc04d.exe 23 PID 4752 wrote to memory of 4412 4752 2a6a35dd6204faf86248fa5f671dc04d.exe 16 PID 4752 wrote to memory of 4412 4752 2a6a35dd6204faf86248fa5f671dc04d.exe 16 PID 4752 wrote to memory of 4412 4752 2a6a35dd6204faf86248fa5f671dc04d.exe 16 PID 4392 wrote to memory of 1848 4392 waPtvvx2KWuOesU.exe 19 PID 4392 wrote to memory of 1848 4392 waPtvvx2KWuOesU.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a6a35dd6204faf86248fa5f671dc04d.exe"C:\Users\Admin\AppData\Local\Temp\2a6a35dd6204faf86248fa5f671dc04d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Users\Admin\AppData\Local\Temp\waPtvvx2KWuOesU.exeC:\Users\Admin\AppData\Local\Temp\waPtvvx2KWuOesU.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8121⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5e115521ba14b75f53dcdff087ec6898f
SHA187103a892bb514a93d485fba221bacb9da3aae25
SHA25659b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a
-
Filesize
59KB
MD55efd390d5f95c8191f5ac33c4db4b143
SHA142d81b118815361daa3007f1a40f1576e9a9e0bc
SHA2566028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d