Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 10:07
Behavioral task
behavioral1
Sample
cdc774d2701e3755988d955383b25745.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cdc774d2701e3755988d955383b25745.exe
Resource
win10v2004-20231215-en
General
-
Target
cdc774d2701e3755988d955383b25745.exe
-
Size
59KB
-
MD5
cdc774d2701e3755988d955383b25745
-
SHA1
a73b9982ea2186a40cdc25d0d3eb556047875a02
-
SHA256
d612a6ebc9c1b99b97e80f53d88d6dd1dc6a6867a35871e13ab657ce53be409c
-
SHA512
6446da7244603eb4a8fb351c03455dd03e7b65008025850e83b2d13af7f3d3ff250c243ec75eb14cb7563ff76cffb77748af0c63210ccd8026e6e274c0316ab5
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGocAX3LKew369lp2z3b:SKcR4mjD9r823FHKcR4mjD9r823Fu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2324 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1944-0-0x00000000008B0000-0x00000000008C7000-memory.dmp upx behavioral2/files/0x0008000000023208-8.dat upx behavioral2/memory/1944-7-0x00000000008B0000-0x00000000008C7000-memory.dmp upx behavioral2/memory/2324-10-0x0000000000490000-0x00000000004A7000-memory.dmp upx behavioral2/files/0x0005000000022ccd-12.dat upx behavioral2/files/0x00090000000231fb-29.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" cdc774d2701e3755988d955383b25745.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe cdc774d2701e3755988d955383b25745.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1944 cdc774d2701e3755988d955383b25745.exe Token: SeDebugPrivilege 2324 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2324 1944 cdc774d2701e3755988d955383b25745.exe 86 PID 1944 wrote to memory of 2324 1944 cdc774d2701e3755988d955383b25745.exe 86 PID 1944 wrote to memory of 2324 1944 cdc774d2701e3755988d955383b25745.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc774d2701e3755988d955383b25745.exe"C:\Users\Admin\AppData\Local\Temp\cdc774d2701e3755988d955383b25745.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD5ea8cbd37421ff13a82f8236f32343837
SHA175a4a3ae10cf565e7694fbdc2dbc1e1f9294614e
SHA2563ac07967610693b8d5eb51143c79146fbc101ad96e26f0becd48be760c9ec24a
SHA512f7ee38d80a4ea9175acb9c29f399b94b41e3c0f6cbfeadf8de2622e1b26e03a35e7659e833dd9c6f7ceef1d67c5bedfcc086391fa7b5b1828e32fd97c1ee3036
-
Filesize
59KB
MD57036dd4911d8e065cdbb1df9eb5b9a32
SHA130a2e56ac70518f9dc40b23dbcb1757618d52e2f
SHA2561d59be35f09998f4792fec5f6369a42b2ed289c9b77ac2f8520bbfbbdb65214b
SHA5123a5beb86adc16cd5ead256d0a177462967da5e28dbeb0ec169f5aea80acd06462ecd294b6253edf45a1717cfcb5a5e57dbadf345dc1337b0d53324c744fad77a
-
Filesize
59KB
MD55efd390d5f95c8191f5ac33c4db4b143
SHA142d81b118815361daa3007f1a40f1576e9a9e0bc
SHA2566028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d