Malware Analysis Report

2025-03-14 22:58

Sample ID 240406-3n3g7sed6x
Target 9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5
SHA256 9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5

Threat Level: Known bad

The file 9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:40

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:40

Reported

2024-04-06 23:43

Platform

win7-20231129-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe

"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1392-0-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

memory/1392-9-0x00000000000E0000-0x00000000000F8000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2324-12-0x0000000000E00000-0x0000000000E18000-memory.dmp

memory/1392-8-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GbKjBAyX7H9hhkH.exe

MD5 4aa9a9382bfc193bca24e2b0a8977c54
SHA1 8fff31ac80867340f32e42f25f417f6edabbfb30
SHA256 3d70854d9e32079a61037b83e76595d73146b8002553aad0465e18e29d13efe5
SHA512 d9c11d2221fbb8a387e40c212f025794494c58547182630c4913643b3d42d2baa51f7949f41705fd5842ec39e15a1013f85306cbb6b7e2c62391a066241cf1a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:40

Reported

2024-04-06 23:43

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe

"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3116-0-0x0000000000D70000-0x0000000000D88000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/3116-7-0x0000000000D70000-0x0000000000D88000-memory.dmp

memory/384-9-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 df637232e24f427d60787d548433a3eb
SHA1 c71da7b8ee16acb5cf549b2d090e47e4dea70bcd
SHA256 5497a5f6853df972e6720a9be2d1145f787941112f48dcca0a601c230207eb52
SHA512 21a0aae90bc59e10f53465646b58bc26d58655bf4d2f92ffdb5f38cb78130629441600872aeeb04463bcf90d2b7c45f4b0537b6290a047e0f514eb8001379fbe

C:\Users\Admin\AppData\Local\Temp\aeCyD79stxaiFnU.exe

MD5 be5d7aab74dc9e4352c320fce8d2ff84
SHA1 11ba08f05d89e04043fbc9e0b2525c2672a334fc
SHA256 a4e62df68aa0f98e67f2b8612ba23518cb658c7724708c1d627af24e6f28ad73
SHA512 0076210b3e3259842e48586d9ac689fcbc177c3a62c6c385de6649b817756e23ac426779990a1b949dba528a124e93f9f8c69fe6a8ff37f7b615cb287e64c6a7