6b0c74f6cfd8e747d6275ba28a94a893e67afdda7360d1336a40ece8ec91eb76

Analysis

max time kernel
144s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43553c087d242404840c8eb1fd302eb6.exe
Size

130KB
MD5

43553c087d242404840c8eb1fd302eb6
SHA1

ea4d2e6a88f53591af1ad26dc353b5b9b10f8578
SHA256

6b0c74f6cfd8e747d6275ba28a94a893e67afdda7360d1336a40ece8ec91eb76
SHA512

f081f1acc19f9096075f9f50528d628f8d369f6671ec6bb5a5481bda4b9237c1c63ee0c3914d5c26db4561b2a184b1448f6d65cc97fc39d1cae3d8a5f8d6ab76
SSDEEP

3072:sr3KcWmjRrzSxqZoChjOOFyTDj+vqIRVQh8QT452RIaIhpQ3cdcG:/rXOGjvIb5uIaQc81

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3860	ubbkSBe9AqfP9pR.exe
4500	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/440-0-0x0000000000500000-0x0000000000517000-memory.dmp	upx
behavioral2/memory/440-9-0x0000000000500000-0x0000000000517000-memory.dmp	upx
behavioral2/memory/4500-10-0x0000000000480000-0x0000000000497000-memory.dmp	upx
behavioral2/files/0x0008000000023233-8.dat	upx
behavioral2/files/0x0008000000023233-7.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	43553c087d242404840c8eb1fd302eb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	43553c087d242404840c8eb1fd302eb6.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	43553c087d242404840c8eb1fd302eb6.exe
Token: SeDebugPrivilege	4500	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 3860	440	43553c087d242404840c8eb1fd302eb6.exe	18
PID 440 wrote to memory of 3860	440	43553c087d242404840c8eb1fd302eb6.exe	18
PID 440 wrote to memory of 4500	440	43553c087d242404840c8eb1fd302eb6.exe	17
PID 440 wrote to memory of 4500	440	43553c087d242404840c8eb1fd302eb6.exe	17
PID 440 wrote to memory of 4500	440	43553c087d242404840c8eb1fd302eb6.exe	17

C:\Users\Admin\AppData\Local\Temp\43553c087d242404840c8eb1fd302eb6.exe
"C:\Users\Admin\AppData\Local\Temp\43553c087d242404840c8eb1fd302eb6.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\ubbkSBe9AqfP9pR.exe
  C:\Users\Admin\AppData\Local\Temp\ubbkSBe9AqfP9pR.exe
  2⤵
  - Executes dropped EXE
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ubbkSBe9AqfP9pR.exe

Filesize
32KB

MD5
c822f2e51c87ccbfc4eca843b1000972

SHA1
28b21ea3946a5e8f9dacccff22f485966eab2e9d

SHA256
b73f2ffc770273f7d8acc03d15f49350e6ffeb6a54fc7a7aa2bda6c20feedf0b

SHA512
b7095fc35aa3f18699ab5a65b4e75e142ddd115c01cc6a497d0d13116d655d8b32542bbb18ae85f92525e0675748577a0f0a456812f7bec0184f0c0d88995159

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubbkSBe9AqfP9pR.exe

Filesize
4KB

MD5
f6963a051e57cfa1452b643eacac377a

SHA1
901b3280d8a4bd10f0e5827fe201204d2757c670

SHA256
853534ddf5ea88c03accffa855eb5fa363d7b7488dd5eb119af83fc68e537afa

SHA512
af06b1531474f537d6f8ad34fb6d807acbfd1a0d62c6df545dad56482259c27a7a5653636a6471e8673d1dcaee914f4e4ee5e28a965eadcfa0a8a336fcddf572

Download Submit
C:\Windows\CTS.exe

Filesize
8KB

MD5
2af5e281bf8493b897f3501049a3318e

SHA1
edcde08d3f996b2416c4f5aa52f7aff4cbdfc4c3

SHA256
17422c9dab6b00e735bbffdc03e59c478e864c73b67c4e2c526b427a74dc85e3

SHA512
428baed32e498f23ca96c1436711158f9e40daa1086e8e986642942672bfe7995da73731c11d8357e81e64cfe096ea21f2232684d2a156bd4f8f5625a7a75bae

Download Submit
memory/440-0-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/440-9-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/4500-10-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads