Analysis
-
max time kernel
158s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 04:13
Behavioral task
behavioral1
Sample
4a68ee47fd872d1e7a957bd6c9585fec.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a68ee47fd872d1e7a957bd6c9585fec.exe
Resource
win10v2004-20231215-en
General
-
Target
4a68ee47fd872d1e7a957bd6c9585fec.exe
-
Size
335KB
-
MD5
4a68ee47fd872d1e7a957bd6c9585fec
-
SHA1
47073e49ce1c87edce2f4850506ae038385388ea
-
SHA256
55c845306575a4f6c64875549cbfaa27c17425b905d3e9a7e1e9c41653b88dda
-
SHA512
d1a1658290cb464b0b8ccbad41ec0dae8c65baf85d98b38ad3ab56d6cfbea4b17f09b5226c49799cb974ed226e9718a8f0df2a2ff5a5ddb33c7260a45eb529bc
-
SSDEEP
6144:hGRqNA/2ffooKmtARQ+teJmlfV7irmdbOLhYQyDR/f064Y6Bs2Bk758Q:hvA2Io+RQ+teJmBV6mdUYQyDRX0fRmdX
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3824 8zjYmDNjYiJWtMz.exe 2452 CTS.exe 1672 setup-stub.exe -
Loads dropped DLL 12 IoCs
pid Process 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe 1672 setup-stub.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/632-0-0x00000000006F0000-0x0000000000707000-memory.dmp upx behavioral2/files/0x000a00000002301b-3.dat upx behavioral2/memory/3824-4-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/files/0x000a00000002301f-10.dat upx behavioral2/memory/632-12-0x00000000006F0000-0x0000000000707000-memory.dmp upx behavioral2/memory/2452-11-0x00000000005F0000-0x0000000000607000-memory.dmp upx behavioral2/files/0x0007000000022d41-16.dat upx behavioral2/memory/3824-55-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/2452-59-0x00000000005F0000-0x0000000000607000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 4a68ee47fd872d1e7a957bd6c9585fec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\nsg79F0.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsg79F1.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsg79F0.tmp\ setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsg79F2.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsg79F3.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsg79F2.tmp\ setup-stub.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 4a68ee47fd872d1e7a957bd6c9585fec.exe File created C:\Windows\CTS.exe CTS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 632 4a68ee47fd872d1e7a957bd6c9585fec.exe Token: SeDebugPrivilege 2452 CTS.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1672 setup-stub.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 632 wrote to memory of 3824 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 92 PID 632 wrote to memory of 3824 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 92 PID 632 wrote to memory of 3824 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 92 PID 632 wrote to memory of 2452 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 93 PID 632 wrote to memory of 2452 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 93 PID 632 wrote to memory of 2452 632 4a68ee47fd872d1e7a957bd6c9585fec.exe 93 PID 3824 wrote to memory of 1672 3824 8zjYmDNjYiJWtMz.exe 96 PID 3824 wrote to memory of 1672 3824 8zjYmDNjYiJWtMz.exe 96 PID 3824 wrote to memory of 1672 3824 8zjYmDNjYiJWtMz.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a68ee47fd872d1e7a957bd6c9585fec.exe"C:\Users\Admin\AppData\Local\Temp\4a68ee47fd872d1e7a957bd6c9585fec.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\8zjYmDNjYiJWtMz.exeC:\Users\Admin\AppData\Local\Temp\8zjYmDNjYiJWtMz.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\7zS0FED5518\setup-stub.exe.\setup-stub.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1672
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD5000f4cfe21775a4811c21cad978865e5
SHA19ae6878d3d73b9993a2a467f343f1e87cf804dc6
SHA2562a81083c60f81a6e0e065290351d3f07264174f18aa7acca21269ea8d8b0c7a8
SHA5128d9dd1e5a3add17048a3f9dbc24357e5905766c59e868db2ef9a29e97056f5be13b78e1606854882c0161b6e246aac70b682be2a1aff11a76bfaff0906dfffb0
-
Filesize
407KB
MD527eba7c268114cde294ba56de94c1814
SHA10a0bbce1beaadb36e92bbcd1ed7de601e79528c1
SHA256958aaac6fec9912ff65b7fa3ee87df665ee38ded11c90222b82efe8569847c9e
SHA5125879384d9d22771b96db3b37ff9fb625f5c09ef3aea75919889b4450cd1efaa73c61f017d4a32802acfe8c0c90a1ed585062eec1b1331ac0cef8c45e31fffb98
-
Filesize
306KB
MD5b1ec7bff4192f75a0a53608047a190e9
SHA17686a580333e8d60e1806418c8467e85beab4d2a
SHA256134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474
SHA5122af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067
-
Filesize
33KB
MD573a0bec837004bc5ae5cd0a5b0d3bcf8
SHA192cb463841b6adeecb8cc9cc8eb5f39a61dc7edd
SHA2560dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534
SHA512f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2
-
Filesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
Filesize
18KB
MD5113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
Filesize
4KB
MD51b446b36f5b4022d50ffdc0cf567b24a
SHA1d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9
SHA2562862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922
SHA51204ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8
-
Filesize
9KB
MD542b064366f780c1f298fa3cb3aeae260
SHA15b0349db73c43f35227b252b9aa6555f5ede9015
SHA256c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab
SHA51250d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7
-
Filesize
18KB
MD5e89c7cd9336d61bb500ac3e581601878
SHA145b2563daa00ba1b747615c23c38ef04b95c5674
SHA256431fc2ed27d0b7a1ce80de07989595effcc3ffb1dea1af6c0e178b53f6bd2f1e
SHA51209485a354ac4ace6084cb6fcbd92eee8488074763c8443638f78e655e45e8aa0fe40a45d4ce0dff116ed3a4bb7bc4d7d845a6ccf0e0bf35533ce81626a8db06f
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5