6c8e4f4e58da0e4870b3df5574e6f18955a9e6d523461e60b69c694771251893

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf3ad73daaa78a537cae9bfbe3167db.exe
Size

131KB
MD5

bdf3ad73daaa78a537cae9bfbe3167db
SHA1

1b0ba1a484133c0599f8a1f663c7015a3ae012c6
SHA256

6c8e4f4e58da0e4870b3df5574e6f18955a9e6d523461e60b69c694771251893
SHA512

8c2464fc860db3a0cb34f8215423139df231e87eddb06387a03b5c55232f9757959c7a61e53d4a58d857239a4661a8558b307d626d5e3b568b3604a74f72e3e7
SSDEEP

3072:sr3KcWmjRrzSnr3KcWmjRrzSjQxQJUBuEEqy+/MlSWEDN:/4svBuEEqnk8T

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1652	Mwgmcn8NURvvhvj.exe
4988	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000240000-0x0000000000257000-memory.dmp	upx
behavioral2/files/0x00090000000231fb-7.dat	upx
behavioral2/memory/4956-8-0x0000000000240000-0x0000000000257000-memory.dmp	upx
behavioral2/memory/4988-10-0x0000000000DB0000-0x0000000000DC7000-memory.dmp	upx
behavioral2/files/0x0004000000022758-13.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	bdf3ad73daaa78a537cae9bfbe3167db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	bdf3ad73daaa78a537cae9bfbe3167db.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe
Token: SeDebugPrivilege	4988	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1652	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	84
PID 4956 wrote to memory of 1652	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	84
PID 4956 wrote to memory of 1652	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	84
PID 4956 wrote to memory of 4988	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	85
PID 4956 wrote to memory of 4988	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	85
PID 4956 wrote to memory of 4988	4956	bdf3ad73daaa78a537cae9bfbe3167db.exe	85

C:\Users\Admin\AppData\Local\Temp\bdf3ad73daaa78a537cae9bfbe3167db.exe
"C:\Users\Admin\AppData\Local\Temp\bdf3ad73daaa78a537cae9bfbe3167db.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\Mwgmcn8NURvvhvj.exe
  C:\Users\Admin\AppData\Local\Temp\Mwgmcn8NURvvhvj.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
ff099389c5767d330dbb06e5528f4adf

SHA1
8323981f1b8d10ad20631a96179a161cda0a5244

SHA256
872adab12fd69e9c6abc43a70b0833b8064d056f12655dedcddc766b185b8711

SHA512
147bed67e7bd696ccf23b908b0caf5576e17046f7ee26a8da5b6b40d8f688247ea6a1aefee3fca63ccecb9b44ad6da7ae353d191910801f575ff4f37afa0b54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwgmcn8NURvvhvj.exe

Filesize
60KB

MD5
ed0fde686788caec4f2cb1ec9c31680c

SHA1
81ae63b87eaa9fa5637835d2122c50953ae19d34

SHA256
e362670f93cdd952335b1a41e5529f184f2022ea4d41817a9781b150b062511c

SHA512
d90d5e74a9be23816a93490ed30c0aae9f7f038a42bd14aa2ce78e95967b4aabd848f006f00ade619c9976755658d45aa0f5b6d5babbbb2d59a6ed3a3a12ac6b

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
1bacdbdb642ac0541a3e6f5b00e032ea

SHA1
c6c69ae9e2875823790c459006a7aa4a0aa33d61

SHA256
2fa023a4d368a222efcbcd789e1b05a3bab9ccfe663b05e099633156d95a7afe

SHA512
4eed3d67224dc80b72f36cd63844851c5513d3c8b8e1a986653058189bd18a7467b3c8c841b47318d4bcd4c25b0cacca7f2d758b5bbf7e803d9c062145005f5a

Download Submit
memory/4956-0-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/4956-8-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/4988-10-0x0000000000DB0000-0x0000000000DC7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads