d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe
Size

302KB
MD5

166b0d63a14a12d85e4c82e207a2d211
SHA1

c722c008d1e13c94262b6dffef1f5a3da9e9ee0e
SHA256

d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c
SHA512

2d915355e0823355aef4560a1d480a17413f31b6208a543d6dc481c85eb61243b1b089b0cc1b5b06511b47b37e2aeddd5e8754cc2587c90c33064875ef7ac015
SSDEEP

3072:kjr87SHQNLFmQbkdm3f3dYpAaafsZ1pxjK2aspcve0zNuCBdyxwSRuTuZYTVLYgp:5vN1dYpT1pYFmaUxwSRF6lV2yNPaLcf

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3816	8IA5IgaIsrrkdIT.exe
5056	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe
Token: SeDebugPrivilege	5056	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3816	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	86
PID 1600 wrote to memory of 3816	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	86
PID 1600 wrote to memory of 3816	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	86
PID 1600 wrote to memory of 5056	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	87
PID 1600 wrote to memory of 5056	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	87
PID 1600 wrote to memory of 5056	1600	d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe	87

C:\Users\Admin\AppData\Local\Temp\d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe
"C:\Users\Admin\AppData\Local\Temp\d9c0f871306fc1c9b70b436d89c844eeb600f398376a43430572cc3078da357c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\8IA5IgaIsrrkdIT.exe
  C:\Users\Admin\AppData\Local\Temp\8IA5IgaIsrrkdIT.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
402KB

MD5
db234c357f0adac7664ab5c253a64f7d

SHA1
ddd1e3853dc709b85a3cd00f31b697d88eec59d3

SHA256
2b165ad20aff3c2da8fc7c5a79cead26cd51cd74e5f6f5410fdfc1d2aece2e73

SHA512
93971f8000b32707e6adb49aff48c18624848049fb70a2c43d3e9c556bfe46458110705917b597d28d6ebbf142503368dfd6d4203587e9109887867d30175b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IA5IgaIsrrkdIT.exe

Filesize
222KB

MD5
f925a5c64ce7fd8e01e3ad6572d21406

SHA1
379b7fa83587e09234146a551d22b9bb4016a17e

SHA256
8b99ab537d3f709bc5b9331eafd9e3cfc4a3107771db6fb008a0f9dbefe3debc

SHA512
a39c611334d133f64c7de6c6cf89fd2ec0aba4be07da90c8dd9b7c849c6d3a3810f20f03a0b71017294a93f36e1b5ab97c189f20df2e6f6ec74b115bf2e902ab

Download Submit
C:\Windows\CTS.exe

Filesize
80KB

MD5
ec704028ad7125c2fa52e04dc68c0ca3

SHA1
2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4

SHA256
5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf

SHA512
a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads