Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:12
Behavioral task
behavioral1
Sample
750fc1e9564d60b5c828375a9fc3ad96.exe
Resource
win7-20231215-en
General
-
Target
750fc1e9564d60b5c828375a9fc3ad96.exe
-
Size
133KB
-
MD5
750fc1e9564d60b5c828375a9fc3ad96
-
SHA1
53283f0e09c78f995f5dd99a12988fb23f4cbf54
-
SHA256
17f59059ae0e742931a9d320e3a42c0237fc224b64eec4d653d3b5fa255d5d59
-
SHA512
0c377a519ed8c19d96412a6ee6efc7c9da9919776fef20d848b1cd5b59d2aaf0e167d9b814479992c95cab3c5802917a2d27eececefbf2f6ff59abf2875ad1d1
-
SSDEEP
1536:SKcR4mjD9r823FGHiTsNmkYAuiaT3EPGV6TFvTZBUPBn9zqwd6qbjFQ4veUx3Nw6:SKcWmjRrz39wNmnYB1KPNR7BPwscAvX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
YoAT5XUe1unn2mG.exeCTS.exepid process 4416 YoAT5XUe1unn2mG.exe 4764 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/516-0-0x0000000000390000-0x00000000003A7000-memory.dmp upx behavioral2/memory/516-8-0x0000000000390000-0x00000000003A7000-memory.dmp upx behavioral2/memory/4764-9-0x0000000000F30000-0x0000000000F47000-memory.dmp upx C:\Windows\CTS.exe upx C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CTS.exe750fc1e9564d60b5c828375a9fc3ad96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 750fc1e9564d60b5c828375a9fc3ad96.exe -
Drops file in Windows directory 2 IoCs
Processes:
750fc1e9564d60b5c828375a9fc3ad96.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 750fc1e9564d60b5c828375a9fc3ad96.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
750fc1e9564d60b5c828375a9fc3ad96.exeCTS.exedescription pid process Token: SeDebugPrivilege 516 750fc1e9564d60b5c828375a9fc3ad96.exe Token: SeDebugPrivilege 4764 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
750fc1e9564d60b5c828375a9fc3ad96.exedescription pid process target process PID 516 wrote to memory of 4416 516 750fc1e9564d60b5c828375a9fc3ad96.exe YoAT5XUe1unn2mG.exe PID 516 wrote to memory of 4416 516 750fc1e9564d60b5c828375a9fc3ad96.exe YoAT5XUe1unn2mG.exe PID 516 wrote to memory of 4764 516 750fc1e9564d60b5c828375a9fc3ad96.exe CTS.exe PID 516 wrote to memory of 4764 516 750fc1e9564d60b5c828375a9fc3ad96.exe CTS.exe PID 516 wrote to memory of 4764 516 750fc1e9564d60b5c828375a9fc3ad96.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\750fc1e9564d60b5c828375a9fc3ad96.exe"C:\Users\Admin\AppData\Local\Temp\750fc1e9564d60b5c828375a9fc3ad96.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\YoAT5XUe1unn2mG.exeC:\Users\Admin\AppData\Local\Temp\YoAT5XUe1unn2mG.exe2⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
352KB
MD5eed2b535513e4414b835b8aa120a02d2
SHA1451d903ded800e838c9282417d6359b1aa045a75
SHA256c853a5be2b321bf01a1a72a314afaba5884a432520c7a8729e397aadee098209
SHA5122a727c21a2fa6b9ba7f240e23ab23de592d6db223d26c8f3ec6e0b30177468c930d1f4cf186b40e6863be7658885399023738e6a288c388e35716235e4c3fd58
-
C:\Users\Admin\AppData\Local\Temp\YoAT5XUe1unn2mG.exeFilesize
103KB
MD56e5a78d1702531b72ef60b5fae57a752
SHA10ce7e1172989a55d9cc07e204af0b00b22d2ea7c
SHA256a00a877acefcad45953343ad56a22152f7aaba5fcf2a10215d84169d47fbcd1d
SHA51223b3094d77f876b6ff9286aea1f5e61bb6909f2b66abda02be21862956712fc33ed241a0d40d0f30aa52eecb240b139468606cffa4e11ee87b6b27bd05d8f0a3
-
C:\Windows\CTS.exeFilesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5
-
memory/516-0-0x0000000000390000-0x00000000003A7000-memory.dmpFilesize
92KB
-
memory/516-8-0x0000000000390000-0x00000000003A7000-memory.dmpFilesize
92KB
-
memory/4764-9-0x0000000000F30000-0x0000000000F47000-memory.dmpFilesize
92KB