Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1fysyacd43
Target 60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120
SHA256 60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120

Threat Level: Known bad

The file 60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:36

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:36

Reported

2024-04-06 21:38

Platform

win7-20231129-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cq5amUM5fJICkDd.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe

"C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe"

C:\Users\Admin\AppData\Local\Temp\Cq5amUM5fJICkDd.exe

C:\Users\Admin\AppData\Local\Temp\Cq5amUM5fJICkDd.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2964-1-0x0000000000DF0000-0x0000000000E08000-memory.dmp

\Users\Admin\AppData\Local\Temp\Cq5amUM5fJICkDd.exe

MD5 e2312f199976d03a7cf41e453c5af246
SHA1 c723bf05f7132c9b66c4f91d6cc363d08b4ed622
SHA256 84fe7824717bb55d7f32c7487e37012a1bc6cd4c8c0202be4bfb07e770f8dc51
SHA512 a5cad97d8bcf893b79eed436ae8df232d7e53df86a0ed38b381c128c5d8c76c0caad41407ed564f2ea2725236eb98ea6d29413886ea22371920bf2b498b49686

memory/2964-15-0x0000000000120000-0x0000000000138000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2148-16-0x0000000000920000-0x0000000000938000-memory.dmp

memory/2964-12-0x0000000000120000-0x0000000000138000-memory.dmp

memory/2964-9-0x0000000000DF0000-0x0000000000E08000-memory.dmp

memory/2964-23-0x0000000000120000-0x0000000000138000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:36

Reported

2024-04-06 21:38

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FLBTIcW0DG7jrUC.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe

"C:\Users\Admin\AppData\Local\Temp\60c8201bb2c454f9217120dd8b764dfcb94622a7c1d1895a9ac39eb6f25f0120.exe"

C:\Users\Admin\AppData\Local\Temp\FLBTIcW0DG7jrUC.exe

C:\Users\Admin\AppData\Local\Temp\FLBTIcW0DG7jrUC.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4880-0-0x0000000000580000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FLBTIcW0DG7jrUC.exe

MD5 e2312f199976d03a7cf41e453c5af246
SHA1 c723bf05f7132c9b66c4f91d6cc363d08b4ed622
SHA256 84fe7824717bb55d7f32c7487e37012a1bc6cd4c8c0202be4bfb07e770f8dc51
SHA512 a5cad97d8bcf893b79eed436ae8df232d7e53df86a0ed38b381c128c5d8c76c0caad41407ed564f2ea2725236eb98ea6d29413886ea22371920bf2b498b49686

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/4880-10-0x0000000000580000-0x0000000000598000-memory.dmp

memory/4796-9-0x0000000000660000-0x0000000000678000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6a12d3c4fa09bf7be584418d7940adfb
SHA1 f07f7f2872898a4b29ebd22e383af0995c6f6b8d
SHA256 21e77de868f6db5b87fd4c09a5ea85dfb58a23a6fd214e69b7ce2324059fec91
SHA512 9cda466e74fb75b0fc27bbac32e7b70c805eddbc1204419e0e73361708952943e0e3ca06608575d67fad602461b62d4625fe89945b2e13842bff8e8c1961180b