Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1gjqeacd59
Target 612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af
SHA256 612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af

Threat Level: Known bad

The file 612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:37

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:37

Reported

2024-04-06 21:39

Platform

win7-20240221-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe

"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2884-0-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/2052-12-0x0000000001330000-0x0000000001347000-memory.dmp

memory/2884-9-0x0000000000AA0000-0x0000000000AB7000-memory.dmp

memory/2884-5-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7yRDosleM45HmUB.exe

MD5 59cd8bcbca0e3f6f8a6c17afbd7c67a9
SHA1 728d78ca074967f1d2f3a1cb6d91856bf14435eb
SHA256 a39cd8ab14102bbdaa4fece0cfd69b1b6d0f6917531fbd40fe7f878c1c184b17
SHA512 cdd0aee1a9db5d1e0bae9c4986c2312cdc737ac247df2acd33061937e7dc3eeab341d8db09654f94d766220b5e53ec477fa31913c717d9e61b803943c9eb6fbf

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:37

Reported

2024-04-06 21:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe

"C:\Users\Admin\AppData\Local\Temp\612f7e1323c9a979e55d581be11ea4085cf161e88af49ab52de25dc4f563b9af.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3152-0-0x0000000000BB0000-0x0000000000BC7000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/3152-7-0x0000000000BB0000-0x0000000000BC7000-memory.dmp

memory/1476-9-0x00000000008E0000-0x00000000008F7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 c572a772772349166a2858d4a2194453
SHA1 9153239b48ee4f4ac8c44578a25052c618c36465
SHA256 eff13b11790a39923eb4b276f24d941a93fd4f22e15c733ea66c01016d1497c0
SHA512 5a5b6be34830406705e8699dd0af66874de4a01f08a391c87aedf837cfd7d7486f6c86787a6a711238bd053de638d2fd225f58b1ca0e1d6c36060bc420f39cd6

C:\Users\Admin\AppData\Local\Temp\IqJcfCI56TqPtd6.exe

MD5 48b95aacb6e2f03c9e5a83f13737c5a6
SHA1 f817813cf16a15e32326fcde6f7d81216d8c7073
SHA256 18d1bae3d4f51ed5adbd9d4a42d7cf44c3d752dc33036abc4d6b71a3bf8cd1f8
SHA512 47cee005c0afd514ab6a4476ed19e3fcf353d1f8adbc83e6f196343aceb358e528998aedbf18f72b61c82dac429f7210c3db6e4b0b6eecb1d974ce917487cc14