Analysis Overview
SHA256
612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af
Threat Level: Known bad
The file 612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:37
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:37
Reported
2024-04-06 21:39
Platform
win7-20240221-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
| PID 2884 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
| PID 2884 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
| PID 2884 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe
"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2884-0-0x0000000000AA0000-0x0000000000AB7000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 286211b8e0aad0533c45d8b8c351cc70 |
| SHA1 | cb54a305a566c00742fb972c4ee62266e880ea78 |
| SHA256 | 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3 |
| SHA512 | 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35 |
memory/2052-12-0x0000000001330000-0x0000000001347000-memory.dmp
memory/2884-9-0x0000000000AA0000-0x0000000000AB7000-memory.dmp
memory/2884-5-0x00000000000E0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7yRDosleM45HmUB.exe
| MD5 | 59cd8bcbca0e3f6f8a6c17afbd7c67a9 |
| SHA1 | 728d78ca074967f1d2f3a1cb6d91856bf14435eb |
| SHA256 | a39cd8ab14102bbdaa4fece0cfd69b1b6d0f6917531fbd40fe7f878c1c184b17 |
| SHA512 | cdd0aee1a9db5d1e0bae9c4986c2312cdc737ac247df2acd33061937e7dc3eeab341d8db09654f94d766220b5e53ec477fa31913c717d9e61b803943c9eb6fbf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:37
Reported
2024-04-06 21:39
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
| PID 3152 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
| PID 3152 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe
"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3152-0-0x0000000000BB0000-0x0000000000BC7000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 286211b8e0aad0533c45d8b8c351cc70 |
| SHA1 | cb54a305a566c00742fb972c4ee62266e880ea78 |
| SHA256 | 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3 |
| SHA512 | 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35 |
memory/3152-7-0x0000000000BB0000-0x0000000000BC7000-memory.dmp
memory/1476-9-0x00000000008E0000-0x00000000008F7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | c572a772772349166a2858d4a2194453 |
| SHA1 | 9153239b48ee4f4ac8c44578a25052c618c36465 |
| SHA256 | eff13b11790a39923eb4b276f24d941a93fd4f22e15c733ea66c01016d1497c0 |
| SHA512 | 5a5b6be34830406705e8699dd0af66874de4a01f08a391c87aedf837cfd7d7486f6c86787a6a711238bd053de638d2fd225f58b1ca0e1d6c36060bc420f39cd6 |
C:\Users\Admin\AppData\Local\Temp\IqJcfCI56TqPtd6.exe
| MD5 | 48b95aacb6e2f03c9e5a83f13737c5a6 |
| SHA1 | f817813cf16a15e32326fcde6f7d81216d8c7073 |
| SHA256 | 18d1bae3d4f51ed5adbd9d4a42d7cf44c3d752dc33036abc4d6b71a3bf8cd1f8 |
| SHA512 | 47cee005c0afd514ab6a4476ed19e3fcf353d1f8adbc83e6f196343aceb358e528998aedbf18f72b61c82dac429f7210c3db6e4b0b6eecb1d974ce917487cc14 |