1b636ee394db42c48adefceecb5ce6615deedf9b250ae25c65a17c2cbbca5c9e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ed46660c513069b777d4d3324e977fd.exe
Size

82KB
MD5

4ed46660c513069b777d4d3324e977fd
SHA1

95b0fde494cb59639b41c73712d8f2e94fe9184d
SHA256

1b636ee394db42c48adefceecb5ce6615deedf9b250ae25c65a17c2cbbca5c9e
SHA512

cdca70d917926b24737c5c61bca252a0ef9a8b68f73a1d01f0e098cfec3954620e8d1fabcbd1c247a33ed966c3452082fc37cb8f9e4b19a27825d96e8974cacc
SSDEEP

768:XqNK2cNW0QbRsWjcdip3RK733XV8YEhBjIwU/0SAR1RGn8NIoJtR+beoKY:scNjQlsWjcdiTuXbELbGn82i+beo1

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2692-0-0x00000000005B0000-0x00000000005C9000-memory.dmp	upx
behavioral2/memory/2404-9-0x0000000000BD0000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/2692-8-0x00000000005B0000-0x00000000005C9000-memory.dmp	upx
behavioral2/files/0x00090000000231e8-7.dat	upx
behavioral2/files/0x00090000000231e8-6.dat	upx
behavioral2/files/0x000300000002276d-12.dat	upx
behavioral2/files/0x000d000000023150-30.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	4ed46660c513069b777d4d3324e977fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	4ed46660c513069b777d4d3324e977fd.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	4ed46660c513069b777d4d3324e977fd.exe
Token: SeDebugPrivilege	2404	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2404	2692	4ed46660c513069b777d4d3324e977fd.exe	19
PID 2692 wrote to memory of 2404	2692	4ed46660c513069b777d4d3324e977fd.exe	19
PID 2692 wrote to memory of 2404	2692	4ed46660c513069b777d4d3324e977fd.exe	19

C:\Users\Admin\AppData\Local\Temp\4ed46660c513069b777d4d3324e977fd.exe
"C:\Users\Admin\AppData\Local\Temp\4ed46660c513069b777d4d3324e977fd.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
5KB

MD5
46166f1feff354403637abd36d62f1f1

SHA1
8b47e3e9db35febc859433f438b272be59694f22

SHA256
6657f9c08bc259ae0be6c96a1571bd9e4d45abd13e8b86fee195e6bc3dc2abdd

SHA512
0c2c9b16bfdb143ecd4154eace1cb5a8cb2c9019ebb24ad7025bc90f81e5fcb5c6fb154e350cd82d7ff90322b384ffa70899119763edd56805cb5d9e61057b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvFfi5JBOeRmOSn.exe

Filesize
82KB

MD5
45b9db56aab01dccd40d13da1b54e0b0

SHA1
4c528518e119e3cc7c55d4b197f3254f3b96a47a

SHA256
31453b6c8e7a76629b2f735aec0db7933c28c2f0aebd26cee4a1fb8752e12e56

SHA512
16fd903d64496cc8ca914ed7728ed6267a15a58959a2f183dc2f4ba5560a86bc63a6633fd1a1be6e327e4e29857cf43bc38a1c8facbb6e19b59d7276457c303e

Download Submit
C:\Windows\CTS.exe

Filesize
16KB

MD5
a438de1fd6f94709fe74d572c61990f0

SHA1
70ac7136543fbe1b5952690493387b515dd85d96

SHA256
f48f5e66f2032d321c5603e373443003cbf663d45df495c7e3e2e2262f6cc9b8

SHA512
e8b08ad74d8656ef0c38000a6e239e4b19e2ef6c1f8931a07bce6720bc2a319d00f5968795ee7fecfac41b730476db10eb13cb4f51ee257faacd95e27333077f

Download Submit
C:\Windows\CTS.exe

Filesize
30KB

MD5
d1b2342f95b569dad4976469a144f871

SHA1
121dd2b47ac302b2aaa48542c3bf8a026719a49f

SHA256
d5939b4edd6b385d8bbd887bde6ef7c165461e081a71749a1357cf6df2822f34

SHA512
a7e271a6f9c0c336c557aee393924e1fc47395f0a74ad32e0cf6c1ba3b81a1c5052cacf450ce4a3e140186b1ff2e1259ad5fde6681739dba59a49e8259cbee58

Download Submit
memory/2404-9-0x0000000000BD0000-0x0000000000BE9000-memory.dmp

Filesize
100KB

Download
memory/2692-0-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download
memory/2692-8-0x00000000005B0000-0x00000000005C9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads