Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-q2exvabf4t
Target b246e55df34671bdda4bdb3451634aa2
SHA256 2e1e00ecb82b5055185935ada275a1022daa7849f052ccd62d5d708a94524357
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2e1e00ecb82b5055185935ada275a1022daa7849f052ccd62d5d708a94524357

Threat Level: Shows suspicious behavior

The file b246e55df34671bdda4bdb3451634aa2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 13:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 13:45

Reported

2024-03-04 13:47

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe
PID 2088 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Windows\CTS.exe
PID 2088 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Windows\CTS.exe
PID 2088 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Windows\CTS.exe
PID 2088 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe C:\Windows\CTS.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe
PID 2588 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe

"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"

C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe

C:\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe

"C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 23.214.154.220:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 23.204.232.117:80 javadl.oracle.com tcp
GB 23.204.232.117:443 javadl.oracle.com tcp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
GB 23.44.232.84:443 sdlc-esd.oracle.com tcp

Files

memory/2088-0-0x0000000000C10000-0x0000000000C27000-memory.dmp

\Users\Admin\AppData\Local\Temp\DS2AYELno1notcd.exe

MD5 544e07d620d3108b9b6aa3384d02dea5
SHA1 9897596f3c4ec39e38ef7f1081783db7693ae0b2
SHA256 a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8
SHA512 3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

memory/2088-18-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jds259398540.tmp\DS2AYELno1notcd.exe

MD5 109cbe148f827137c3ba62261f01b29b
SHA1 2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12
SHA256 394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a
SHA512 a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

memory/2088-17-0x0000000000C10000-0x0000000000C27000-memory.dmp

memory/2852-26-0x0000000000260000-0x0000000000277000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 253e8250a163eaf7cb4fb913a010a129
SHA1 189fd76784d9b896c6d52e2b469ec6bf019c038e
SHA256 89b8077d52131ccf7110a39e0bcaa4694016aa35c90dddb7403f3c41f4b5372d
SHA512 8025974a98e7e7c6df047efffe262926ced59f0af787d9712da7aa17d8ed4e3a2e9bf3d690d3f060798eb0190496bf73102f2d1bd0d603a859d89f484befe946

memory/2088-24-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Windows\CTS.exe

MD5 641f2acbcf02682f7b0e9f18a36d0998
SHA1 3d71e3c26c9073444064ce352b968191881185cb
SHA256 2b697324dd222529c9342faf00133a2accd7a3552325db1e2b70f2ddc0f98bab
SHA512 6283c06cc4190fcb708583c49df4e8fca15aa11f50a8d53827d8ac3466393a7f9d4a246b6300eb575e514ead682b0849f014e522ab706349d760fa595d78d999

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 451b4de0d522059e7465dffc7f832a61
SHA1 ed21769aea3bd74b1cbfdae9aaab1ac78b48ef58
SHA256 b4d678f38dba6566a30b753097a9a1a132e4566be216b1f5a180614e8d3e29a7
SHA512 85e9c03304ef9b1d591d588aadd77c266c187867a7a8b933b0fa0607d2c92b5e35f31aaf9172c5dc4e0b62a6e6386bae1fa4ee7a7f8a225a89ed92f0f895323d

memory/2088-182-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 13:45

Reported

2024-03-04 13:47

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe

"C:\Users\Admin\AppData\Local\Temp\b246e55df34671bdda4bdb3451634aa2.exe"

C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe

C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe

"C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 23.214.154.220:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 220.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 javadl.oracle.com udp
GB 23.204.232.117:80 javadl.oracle.com tcp
US 20.231.121.79:80 tcp
GB 23.204.232.117:443 javadl.oracle.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
GB 23.44.232.84:443 sdlc-esd.oracle.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 117.232.204.23.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 84.232.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp

Files

memory/3184-0-0x00000000007F0000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gUgVflnTjTxGQhu.exe

MD5 544e07d620d3108b9b6aa3384d02dea5
SHA1 9897596f3c4ec39e38ef7f1081783db7693ae0b2
SHA256 a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8
SHA512 3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

memory/3184-16-0x00000000007F0000-0x0000000000807000-memory.dmp

C:\Windows\CTS.exe

MD5 641f2acbcf02682f7b0e9f18a36d0998
SHA1 3d71e3c26c9073444064ce352b968191881185cb
SHA256 2b697324dd222529c9342faf00133a2accd7a3552325db1e2b70f2ddc0f98bab
SHA512 6283c06cc4190fcb708583c49df4e8fca15aa11f50a8d53827d8ac3466393a7f9d4a246b6300eb575e514ead682b0849f014e522ab706349d760fa595d78d999

memory/4648-8-0x00000000006F0000-0x0000000000707000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jds240600109.tmp\gUgVflnTjTxGQhu.exe

MD5 109cbe148f827137c3ba62261f01b29b
SHA1 2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12
SHA256 394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a
SHA512 a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 26a09cdb073cf17d7dd6668947712e94
SHA1 f70f1119be8c2de70fcbb97ef6ef8c1de427462d
SHA256 8c8df550fd6cfaf98c99ca7da69ccd47501ffefb54d4d1fd65919dc7b4f68437
SHA512 46b27da299e78c2123dbd9a6c1a540e155d0036c722028456662fb9419802a26a9bc640a28cde304f5ccaae1eabb939b83b040bc168b84fc83482f0d5d7ffebc

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 aef24836762628af7617e91435188e6e
SHA1 c8f990df9486c479287700dd93842e0a290b5344
SHA256 fcb3cf2f4a3d046c500293057ddf1b9c2fa40d94b8d01fedd8d72d6f73597131
SHA512 9da02999dd26849d9480607a8ec557c4107ccfbbcd33ec772e4b1171a3e67aa3f3d7968694eabd2b0d0f9702df5a67ebaa5960c8bae6ca470aa95efb278cccc7

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 4897edf4404f7f82829e0911d132c15d
SHA1 326ce4567e28ffcf9b4c22dcb7afe16ee3f4868f
SHA256 3583c8d757273c88169678a2a8a78b3bcd21a4d0874d97e0056b99d7733f2acd
SHA512 640d0bd78ae888c0e0e828b8f23052538bbbcc647934cbde41529719deda63fcc5448776466d18b35cac26ef84ab5abdf73ee40d485c1bc6cb30ae40636b39de

memory/4648-131-0x00000000006F0000-0x0000000000707000-memory.dmp