6c8e4f4e58da0e4870b3df5574e6f18955a9e6d523461e60b69c694771251893

General

Target

bdf3ad73daaa78a537cae9bfbe3167db.exe
Size

131KB
MD5

bdf3ad73daaa78a537cae9bfbe3167db
SHA1

1b0ba1a484133c0599f8a1f663c7015a3ae012c6
SHA256

6c8e4f4e58da0e4870b3df5574e6f18955a9e6d523461e60b69c694771251893
SHA512

8c2464fc860db3a0cb34f8215423139df231e87eddb06387a03b5c55232f9757959c7a61e53d4a58d857239a4661a8558b307d626d5e3b568b3604a74f72e3e7
SSDEEP

3072:sr3KcWmjRrzSnr3KcWmjRrzSjQxQJUBuEEqy+/MlSWEDN:/4svBuEEqnk8T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2960	3ua9fvkoJZlvpOv.exe
3012	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	bdf3ad73daaa78a537cae9bfbe3167db.exe
2360	bdf3ad73daaa78a537cae9bfbe3167db.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000A50000-0x0000000000A67000-memory.dmp	upx
behavioral1/files/0x000b0000000141a2-17.dat	upx
behavioral1/memory/2360-15-0x0000000000A50000-0x0000000000A67000-memory.dmp	upx
behavioral1/memory/2360-11-0x0000000000070000-0x0000000000087000-memory.dmp	upx
behavioral1/memory/3012-19-0x00000000011D0000-0x00000000011E7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	bdf3ad73daaa78a537cae9bfbe3167db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	bdf3ad73daaa78a537cae9bfbe3167db.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe
Token: SeDebugPrivilege	3012	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2960	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	28
PID 2360 wrote to memory of 2960	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	28
PID 2360 wrote to memory of 2960	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	28
PID 2360 wrote to memory of 2960	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	28
PID 2360 wrote to memory of 3012	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	29
PID 2360 wrote to memory of 3012	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	29
PID 2360 wrote to memory of 3012	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	29
PID 2360 wrote to memory of 3012	2360	bdf3ad73daaa78a537cae9bfbe3167db.exe	29

C:\Users\Admin\AppData\Local\Temp\bdf3ad73daaa78a537cae9bfbe3167db.exe
"C:\Users\Admin\AppData\Local\Temp\bdf3ad73daaa78a537cae9bfbe3167db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\3ua9fvkoJZlvpOv.exe
  C:\Users\Admin\AppData\Local\Temp\3ua9fvkoJZlvpOv.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTS.exe

Filesize
71KB

MD5
1bacdbdb642ac0541a3e6f5b00e032ea

SHA1
c6c69ae9e2875823790c459006a7aa4a0aa33d61

SHA256
2fa023a4d368a222efcbcd789e1b05a3bab9ccfe663b05e099633156d95a7afe

SHA512
4eed3d67224dc80b72f36cd63844851c5513d3c8b8e1a986653058189bd18a7467b3c8c841b47318d4bcd4c25b0cacca7f2d758b5bbf7e803d9c062145005f5a

Download Submit
\Users\Admin\AppData\Local\Temp\3ua9fvkoJZlvpOv.exe

Filesize
60KB

MD5
ed0fde686788caec4f2cb1ec9c31680c

SHA1
81ae63b87eaa9fa5637835d2122c50953ae19d34

SHA256
e362670f93cdd952335b1a41e5529f184f2022ea4d41817a9781b150b062511c

SHA512
d90d5e74a9be23816a93490ed30c0aae9f7f038a42bd14aa2ce78e95967b4aabd848f006f00ade619c9976755658d45aa0f5b6d5babbbb2d59a6ed3a3a12ac6b

Download Submit
memory/2360-0-0x0000000000A50000-0x0000000000A67000-memory.dmp

Filesize
92KB

Download
memory/2360-15-0x0000000000A50000-0x0000000000A67000-memory.dmp

Filesize
92KB

Download
memory/2360-11-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download
memory/3012-19-0x00000000011D0000-0x00000000011E7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads