Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 11:04

General

  • Target

    b48d14f18e8a4f62750fb8f34bff0294.exe

  • Size

    86KB

  • MD5

    b48d14f18e8a4f62750fb8f34bff0294

  • SHA1

    1bd28671c0bd960d622b989edf2127c01797e294

  • SHA256

    ad6a17839b06b2e3dfeec19da443687b6afb9df3bf42189e2cf7a3811de8803b

  • SHA512

    20b1987599f433b7c3144db6047372b27d086b907607574d6b236eeed988ea4b482e045b66f465b39df2286b71af23cd8f0b2cb953121d6ad1d88928876e5fd7

  • SSDEEP

    1536:s9Z3KcR4mjD9r8226+M9Z3KcR4mjD9r8226+SymWNJC3eg:sr3KcWmjRrzSMr3KcWmjRrzSSymWvC3p

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b48d14f18e8a4f62750fb8f34bff0294.exe
    "C:\Users\Admin\AppData\Local\Temp\b48d14f18e8a4f62750fb8f34bff0294.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\DxDhr2hmpmipBtl.exe
      C:\Users\Admin\AppData\Local\Temp\DxDhr2hmpmipBtl.exe
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:552
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4692
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      395KB

      MD5

      38243f02e04c61ce6042ca71950b6a28

      SHA1

      cbf1f9cb3ee8d93abc48f4c62823ddda9f5619e0

      SHA256

      9b0dd158371d1f3bbbf86e886eba13ea921fb999cebcb27b2209681fb2f01da3

      SHA512

      38d49e4a407d2afecd9144b433fb39cdecd6a895d7e93d9ca1959e27c876cea8a428ca9736212e367695d284ae582d6dad966120d695ec8015e0818dc2690445

    • C:\Users\Admin\AppData\Local\Temp\DxDhr2hmpmipBtl.exe

      Filesize

      15KB

      MD5

      92f9de5aaf4021b73961e14303746f95

      SHA1

      331b792e347ebaf6b6b4c9ac65d742061e1a9f0a

      SHA256

      13c921999e5ff273007a610a8521bbc77d884b41d9cbbd41e045b3497909659c

      SHA512

      314749d46a3584213e55c7030e087e06f1e5bc5fbb8f99210a4e3014b9f44f3be7e791f48c570dd0abaf73584322ebb6be0d2ea5dbbfe343245cced22b172225

    • C:\Windows\CTS.exe

      Filesize

      71KB

      MD5

      6351060cb9fcaf3592510325a13b5219

      SHA1

      7408da86c12d5fa401306df7f9b35cd5c833ba87

      SHA256

      b74bb753ab2ab0996f6c3b988e2a16931e902c5a0dd12d6e35e8b2bb32ce8000

      SHA512

      43d6f1ebb87fe987919bbedce8ad97d4c8945c4104214e443bce56bd6dcdfbdf5060b796fa2839674d727680ef35b781abdb9b12ebf5bff0accf5ee8fb4f4501

    • memory/552-15-0x0000000075310000-0x00000000758C1000-memory.dmp

      Filesize

      5.7MB

    • memory/552-17-0x0000000075310000-0x00000000758C1000-memory.dmp

      Filesize

      5.7MB

    • memory/552-21-0x0000000001420000-0x0000000001430000-memory.dmp

      Filesize

      64KB

    • memory/552-49-0x0000000075310000-0x00000000758C1000-memory.dmp

      Filesize

      5.7MB

    • memory/2868-0-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

      Filesize

      92KB

    • memory/2868-6-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

      Filesize

      92KB

    • memory/4692-10-0x0000000000C10000-0x0000000000C27000-memory.dmp

      Filesize

      92KB