4151ecae8aadd4911af52961c794d0a2dc0884acb63ef0cd6329335ee8026581

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687a1172ef625b7303fde8c83913c6f7.exe
Size

1.1MB
MD5

687a1172ef625b7303fde8c83913c6f7
SHA1

d61557360a6790851c9220caa1ea8f33214f8df4
SHA256

4151ecae8aadd4911af52961c794d0a2dc0884acb63ef0cd6329335ee8026581
SHA512

950af9612cc9b66c9200cc1c4da0b45ae9b0b5dfbf071e7c94fb30a373fcb226204a9205de9006f5352605764c7107da4abcd51190f1ccd9bf69bf8addfd04c3
SSDEEP

24576:hi7HQvWYd9GiC6bU4O4Z2ODAh8795CYL/gpWmqoPbISsRw0HKoZ:h+HQvz2iC6btOoNAhmhsjISeeC

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
208	50itTfGglavv4xl.exe
4900	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3160-0-0x0000000000490000-0x00000000004A7000-memory.dmp	upx
behavioral2/files/0x0009000000023023-6.dat	upx
behavioral2/memory/4900-8-0x0000000000710000-0x0000000000727000-memory.dmp	upx
behavioral2/memory/3160-9-0x0000000000490000-0x00000000004A7000-memory.dmp	upx
behavioral2/files/0x0007000000022556-12.dat	upx
behavioral2/memory/4900-175-0x0000000000710000-0x0000000000727000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	687a1172ef625b7303fde8c83913c6f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateSetup.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateOnDemand.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\psuser_64.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_el.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_lt.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_nl.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_sk.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleCrashHandler.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_hi.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\psmachine.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ca.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_kn.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_th.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\psmachine_64.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_hr.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_sr.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_am.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ar.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_lv.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ml.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_zh-TW.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_sw.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_uk.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateComRegisterShell64.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\psuser.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleCrashHandler64.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateCore.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ja.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ms.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_bg.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_da.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_pl.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_en.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_fa.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_pt-BR.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_sl.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_tr.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ur.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_bn.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_es.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_et.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_fi.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ta.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_te.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdate.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_en-GB.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_hu.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_id.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_vi.dll	50itTfGglavv4xl.exe
File opened for modification	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateSetup.exe	50itTfGglavv4xl.exe
File opened for modification	C:\Program Files (x86)\GUTDF45.tmp	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_de.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_is.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_mr.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ro.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_sv.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateBroker.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_ru.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdateWebPlugin.exe	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_es-419.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_fr.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_gu.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\goopdateres_zh-CN.dll	50itTfGglavv4xl.exe
File created	C:\Program Files (x86)\GUMDF34.tmp\GoogleUpdate.exe	50itTfGglavv4xl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	687a1172ef625b7303fde8c83913c6f7.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	687a1172ef625b7303fde8c83913c6f7.exe
Token: SeDebugPrivilege	4900	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 208	3160	687a1172ef625b7303fde8c83913c6f7.exe	89
PID 3160 wrote to memory of 208	3160	687a1172ef625b7303fde8c83913c6f7.exe	89
PID 3160 wrote to memory of 208	3160	687a1172ef625b7303fde8c83913c6f7.exe	89
PID 3160 wrote to memory of 4900	3160	687a1172ef625b7303fde8c83913c6f7.exe	90
PID 3160 wrote to memory of 4900	3160	687a1172ef625b7303fde8c83913c6f7.exe	90
PID 3160 wrote to memory of 4900	3160	687a1172ef625b7303fde8c83913c6f7.exe	90

C:\Users\Admin\AppData\Local\Temp\687a1172ef625b7303fde8c83913c6f7.exe
"C:\Users\Admin\AppData\Local\Temp\687a1172ef625b7303fde8c83913c6f7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\50itTfGglavv4xl.exe
  C:\Users\Admin\AppData\Local\Temp\50itTfGglavv4xl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:208
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
352KB

MD5
672d67c2efb10dedad5af9ebc7f3512a

SHA1
947e7fb1248a2a4450d3fe2a9794b46955b92fee

SHA256
d4f9a42954d597dd9141e27604a433d566e573b64e743588c961576a1cb7308e

SHA512
0d6961013855e60c77d35eeef4a28e4e246e59e662812248c68a925efdc23fb886a7e58ad7b5c311db2ce5d170a0b5264703ec504fde0914473ba0d398606db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\50itTfGglavv4xl.exe

Filesize
1.1MB

MD5
53baee50f7a69bf3bc0fffe25341a923

SHA1
0b7998f5517ed4e7c5aeea3a89d73b60d2a2d102

SHA256
f91e258ea71dcbfc82371b2ee3e20852e45bef0cb946223d1141a6ef1dfb793f

SHA512
0eb28032849f775f604b7064a4f00f7d802c8c2fd5c7bc21b48298e6c3d316286963794b4c6c4981199c21f56b08d9aa466a470d40738d1b633b7feddc8e6241

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/3160-0-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/3160-9-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/4900-8-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download
memory/4900-175-0x0000000000710000-0x0000000000727000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads