6b0c74f6cfd8e747d6275ba28a94a893e67afdda7360d1336a40ece8ec91eb76

General

Target

43553c087d242404840c8eb1fd302eb6.exe
Size

130KB
MD5

43553c087d242404840c8eb1fd302eb6
SHA1

ea4d2e6a88f53591af1ad26dc353b5b9b10f8578
SHA256

6b0c74f6cfd8e747d6275ba28a94a893e67afdda7360d1336a40ece8ec91eb76
SHA512

f081f1acc19f9096075f9f50528d628f8d369f6671ec6bb5a5481bda4b9237c1c63ee0c3914d5c26db4561b2a184b1448f6d65cc97fc39d1cae3d8a5f8d6ab76
SSDEEP

3072:sr3KcWmjRrzSxqZoChjOOFyTDj+vqIRVQh8QT452RIaIhpQ3cdcG:/rXOGjvIb5uIaQc81

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2740	hx7tlJ4jKsSospX.exe
2844	CTS.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	43553c087d242404840c8eb1fd302eb6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2844-13-0x0000000000CD0000-0x0000000000CE7000-memory.dmp	upx
behavioral1/files/0x000a0000000133c4-12.dat	upx
behavioral1/memory/2972-11-0x0000000000CF0000-0x0000000000D07000-memory.dmp	upx
behavioral1/files/0x000a0000000133c4-9.dat	upx
behavioral1/files/0x000a0000000133c4-10.dat	upx
behavioral1/memory/2972-1-0x0000000000CF0000-0x0000000000D07000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	43553c087d242404840c8eb1fd302eb6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	43553c087d242404840c8eb1fd302eb6.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	43553c087d242404840c8eb1fd302eb6.exe
Token: SeDebugPrivilege	2844	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2740	2972	43553c087d242404840c8eb1fd302eb6.exe	17
PID 2972 wrote to memory of 2740	2972	43553c087d242404840c8eb1fd302eb6.exe	17
PID 2972 wrote to memory of 2740	2972	43553c087d242404840c8eb1fd302eb6.exe	17
PID 2972 wrote to memory of 2740	2972	43553c087d242404840c8eb1fd302eb6.exe	17
PID 2972 wrote to memory of 2844	2972	43553c087d242404840c8eb1fd302eb6.exe	16
PID 2972 wrote to memory of 2844	2972	43553c087d242404840c8eb1fd302eb6.exe	16
PID 2972 wrote to memory of 2844	2972	43553c087d242404840c8eb1fd302eb6.exe	16
PID 2972 wrote to memory of 2844	2972	43553c087d242404840c8eb1fd302eb6.exe	16

C:\Users\Admin\AppData\Local\Temp\43553c087d242404840c8eb1fd302eb6.exe
"C:\Users\Admin\AppData\Local\Temp\43553c087d242404840c8eb1fd302eb6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\hx7tlJ4jKsSospX.exe
  C:\Users\Admin\AppData\Local\Temp\hx7tlJ4jKsSospX.exe
  2⤵
  - Executes dropped EXE
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hx7tlJ4jKsSospX.exe

Filesize
9KB

MD5
58e3bbce31207f8b15ee6e9292dd7cf7

SHA1
3bd785dde53a18ee20bd876e93482472f8757e75

SHA256
27ff6401c65599d7cf545bf97f5c586acb098917f093f105076969dcc1bea0bb

SHA512
bfa00d312bcb7eddee9689b6f648916d27ed049383e5de665bc8c65005a0a9d17ca1ed32b65e771b43ed3e8e6e44162d0826d3a892dd023785d43154f2f92736

Download Submit
C:\Windows\CTS.exe

Filesize
35KB

MD5
e9d254afea4388909658b53900299c04

SHA1
2ba356a2550504bacf9391959271833b68e08fb4

SHA256
a41cce688fd007b69952ba26afcf95391e9e360468eea3588d7a876e1db3983e

SHA512
035b5579bd51cb962524b9303f9b23dd77b8196bce38968b5a2ec3d52627ca7521c8848b0a6623a6593240b7cb7351664cb22be3a407187ecb39dbbac74046de

Download Submit
C:\Windows\CTS.exe

Filesize
7KB

MD5
0bfcd1ebc38652dcb17006bf0be52a1a

SHA1
645c04e3b20e21a79e88ca173b115f1aec434a62

SHA256
a3a00bfc08bc8591ae9e485c8186492a0e936968708abd777787fb11b03aef8d

SHA512
3c7e9a163329b7b6baa09c57dc172d0b7b3e2d48dc24bfe3092fdd749fd89ca6920bbbe963b9ab93b339e93808e29ad96572fddce0e13c98c22848bdb879e294

Download Submit
C:\Windows\CTS.exe

Filesize
5KB

MD5
e1a46a5ed8f8bf7f15ea0aee54fd1240

SHA1
7b947cccd7c8e653e336e0f32111931d97727eac

SHA256
b7cbd298f1aed3073a263689e46f2c2b3da3cf22a187190cd73290c77e9e2111

SHA512
9dc8250c5f740801b3a45e260db4ae035a7799451d4b13a63ddb003de8b65041486913cf043d1781f951a17bc0f648d776dfe369669c3aab3646fb6c366c025c

Download Submit
\Users\Admin\AppData\Local\Temp\hx7tlJ4jKsSospX.exe

Filesize
9KB

MD5
0c1b553e4a415199118bf6398610ad59

SHA1
3d91e84739cbbdfde53629eed4a3fb73d6dd4537

SHA256
9c6ffc34c167ba4448575fa2eac5937bd519368d7ad3c9788eb639ea2091da33

SHA512
d5fb6fe16a1d4d646aea5b2a17927f6788f26dd85b8a127e3b57b0b6b0417d690d396e7c2f376209b576388693821f730a6798a07d52130573588c26d76b2ed0

Download Submit
memory/2844-13-0x0000000000CD0000-0x0000000000CE7000-memory.dmp

Filesize
92KB

Download
memory/2972-11-0x0000000000CF0000-0x0000000000D07000-memory.dmp

Filesize
92KB

Download
memory/2972-1-0x0000000000CF0000-0x0000000000D07000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads