Analysis Overview
SHA256
9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5
Threat Level: Known bad
The file 9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:40
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:40
Reported
2024-04-06 23:43
Platform
win7-20231129-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1392 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
| PID 1392 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
| PID 1392 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
| PID 1392 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe
"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/1392-0-0x0000000000CC0000-0x0000000000CD8000-memory.dmp
memory/1392-9-0x00000000000E0000-0x00000000000F8000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/2324-12-0x0000000000E00000-0x0000000000E18000-memory.dmp
memory/1392-8-0x0000000000CC0000-0x0000000000CD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GbKjBAyX7H9hhkH.exe
| MD5 | 4aa9a9382bfc193bca24e2b0a8977c54 |
| SHA1 | 8fff31ac80867340f32e42f25f417f6edabbfb30 |
| SHA256 | 3d70854d9e32079a61037b83e76595d73146b8002553aad0465e18e29d13efe5 |
| SHA512 | d9c11d2221fbb8a387e40c212f025794494c58547182630c4913643b3d42d2baa51f7949f41705fd5842ec39e15a1013f85306cbb6b7e2c62391a066241cf1a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:40
Reported
2024-04-06 23:43
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3116 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
| PID 3116 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
| PID 3116 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe
"C:\Users\Admin\AppData\Local\Temp\9aafd72b3c03602cea7da10cdd29c27531e430bb02c095ece775d61718bc60b5.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3116-0-0x0000000000D70000-0x0000000000D88000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/3116-7-0x0000000000D70000-0x0000000000D88000-memory.dmp
memory/384-9-0x0000000000AB0000-0x0000000000AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | df637232e24f427d60787d548433a3eb |
| SHA1 | c71da7b8ee16acb5cf549b2d090e47e4dea70bcd |
| SHA256 | 5497a5f6853df972e6720a9be2d1145f787941112f48dcca0a601c230207eb52 |
| SHA512 | 21a0aae90bc59e10f53465646b58bc26d58655bf4d2f92ffdb5f38cb78130629441600872aeeb04463bcf90d2b7c45f4b0537b6290a047e0f514eb8001379fbe |
C:\Users\Admin\AppData\Local\Temp\aeCyD79stxaiFnU.exe
| MD5 | be5d7aab74dc9e4352c320fce8d2ff84 |
| SHA1 | 11ba08f05d89e04043fbc9e0b2525c2672a334fc |
| SHA256 | a4e62df68aa0f98e67f2b8612ba23518cb658c7724708c1d627af24e6f28ad73 |
| SHA512 | 0076210b3e3259842e48586d9ac689fcbc177c3a62c6c385de6649b817756e23ac426779990a1b949dba528a124e93f9f8c69fe6a8ff37f7b615cb287e64c6a7 |