Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 05:26
Behavioral task
behavioral1
Sample
4002a100f2d5c79432818ddf0bbc2c5d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4002a100f2d5c79432818ddf0bbc2c5d.exe
Resource
win10v2004-20231215-en
General
-
Target
4002a100f2d5c79432818ddf0bbc2c5d.exe
-
Size
46KB
-
MD5
4002a100f2d5c79432818ddf0bbc2c5d
-
SHA1
64a3e2c5343cd9c5a6067a79e6997edcd4851c68
-
SHA256
b3c02856b12d3a7aa48e4a53879f34290ec282da57cd81fff62825c86ff8e11a
-
SHA512
4c99e8a570a4ae782b43d50b7bbd46dd0e911b429dee60025ffc43353c05c84a7fffad947aa80c1928b2173bf0e502c4eac0cfd9be6a9cff34ef9d54b00f4a16
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFlzdNskHBloawqrY+0FZ:SKcR4mjD9r823FlJfloajuu+5BZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1848 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1688-0-0x0000000000210000-0x0000000000227000-memory.dmp upx behavioral2/files/0x000600000002320c-6.dat upx behavioral2/memory/1688-7-0x0000000000210000-0x0000000000227000-memory.dmp upx behavioral2/memory/1848-9-0x0000000000AF0000-0x0000000000B07000-memory.dmp upx behavioral2/files/0x000400000001e6ff-12.dat upx behavioral2/files/0x000600000002320b-29.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 4002a100f2d5c79432818ddf0bbc2c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 4002a100f2d5c79432818ddf0bbc2c5d.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1688 4002a100f2d5c79432818ddf0bbc2c5d.exe Token: SeDebugPrivilege 1848 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1848 1688 4002a100f2d5c79432818ddf0bbc2c5d.exe 90 PID 1688 wrote to memory of 1848 1688 4002a100f2d5c79432818ddf0bbc2c5d.exe 90 PID 1688 wrote to memory of 1848 1688 4002a100f2d5c79432818ddf0bbc2c5d.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4002a100f2d5c79432818ddf0bbc2c5d.exe"C:\Users\Admin\AppData\Local\Temp\4002a100f2d5c79432818ddf0bbc2c5d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD5c84691274cb88d35286631d086fa43d9
SHA139c099871ce446b1a8fca92df5c104b74522b5f7
SHA256e26ba590c887e61df94afb650ec312b6fd462a6ab0e948f85f21461684a86137
SHA5123494553865d216ce2ec62e2090c48384e980c3dc8d289eaa0213d12f96747837320df7ca369f873bb88cb9a37157a0e3daf76848c423304be18dcfbb0e78acb0
-
Filesize
46KB
MD5dc35ff240c402ff6b3c0294a0f9d35de
SHA10d8f74fe844e6300e9cbe137815245db272dcdd0
SHA256d1b97ff3da5c23346ab0beb90bb7be753cc6845b20fb4fe4c678d1023dbb2030
SHA512c89073f0a51fcf26f602d2e822402a26bd2041a5e36a7c839d487521bc82e67f8f2afe803421a9d78b743fbd2127cfca0236a81fcf51ab8e87f6a6345b5d13f0
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5