Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rfy92aca41
Target b252f36350548b10cd4a73ed9f681ec5
SHA256 9099bbe761df281236d333dc2827f8101ff42236e2af32e87f60c9e1e6b8067e
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9099bbe761df281236d333dc2827f8101ff42236e2af32e87f60c9e1e6b8067e

Threat Level: Shows suspicious behavior

The file b252f36350548b10cd4a73ed9f681ec5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:08

Reported

2024-03-04 14:11

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2lhGnVhkZIbuFyP.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe

"C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe"

C:\Users\Admin\AppData\Local\Temp\2lhGnVhkZIbuFyP.exe

C:\Users\Admin\AppData\Local\Temp\2lhGnVhkZIbuFyP.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 820

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp

Files

memory/4500-0-0x0000000000710000-0x0000000000727000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2lhGnVhkZIbuFyP.exe

MD5 e115521ba14b75f53dcdff087ec6898f
SHA1 87103a892bb514a93d485fba221bacb9da3aae25
SHA256 59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512 ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4500-8-0x0000000000710000-0x0000000000727000-memory.dmp

memory/4908-9-0x00000000003A0000-0x00000000003B7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 90eec7434f905289ae71e424907398d0
SHA1 f55a4c4f4de702c4859de4146eae1b20eba3a7dc
SHA256 37fea280ac04caa4edd0eaa45412c6b471950186248f02e858b2be822db49857
SHA512 0ddfe9f8a039ec3ff7ff83c29b2764f8d9c35335b13e20559817a544e28cedc7def6929a9003e7d44b79697d96a970bcd8a01e31bf35c5201a4297f771816073

memory/400-27-0x00007FF8ECE90000-0x00007FF8ED831000-memory.dmp

memory/400-28-0x00007FF8ECE90000-0x00007FF8ED831000-memory.dmp

memory/400-30-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/400-40-0x00007FF8ECE90000-0x00007FF8ED831000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:08

Reported

2024-03-04 14:11

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe
PID 2272 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe
PID 2272 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe
PID 2272 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe
PID 2272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Windows\CTS.exe
PID 2272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Windows\CTS.exe
PID 2272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Windows\CTS.exe
PID 2272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe C:\Windows\CTS.exe
PID 2708 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2708 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2708 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe

"C:\Users\Admin\AppData\Local\Temp\b252f36350548b10cd4a73ed9f681ec5.exe"

C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe

C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 380

Network

N/A

Files

memory/2272-0-0x0000000000D50000-0x0000000000D67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SLlvfLdMc6FBvZA.exe

MD5 e115521ba14b75f53dcdff087ec6898f
SHA1 87103a892bb514a93d485fba221bacb9da3aae25
SHA256 59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512 ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

memory/2272-10-0x0000000000D50000-0x0000000000D67000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2272-11-0x0000000000B50000-0x0000000000B67000-memory.dmp

memory/2920-14-0x0000000000B50000-0x0000000000B67000-memory.dmp

memory/2708-17-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

memory/2708-18-0x0000000000C10000-0x0000000000C90000-memory.dmp

memory/2540-19-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2708-22-0x000007FEF4AB0000-0x000007FEF544D000-memory.dmp

memory/2708-23-0x0000000000C10000-0x0000000000C90000-memory.dmp