Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:15
Static task
static1
Behavioral task
behavioral1
Sample
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
Resource
win10v2004-20240319-en
General
-
Target
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
-
Size
259KB
-
MD5
344a42c7fa0f48108bbe1832d75b4296
-
SHA1
a0b273d216487ea79096616a4225c157f522e967
-
SHA256
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56
-
SHA512
d97499d427815c6dd90a38ca117783f796c63afa3cbd54c6889b7d9c979894b850aee460df7c8fbaa93fc74dacda4a64d6e94d9d8b52104f5980917738d075c5
-
SSDEEP
3072:kjr87SHQ/x7HmifDvzgN4G94Am5rpOqDr4f22ySnxucAVsQMos854h7Pegb/sH:5vAciOrVwpnxTKs5oZCU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 5024 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exe8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exeCTS.exedescription pid process Token: SeDebugPrivilege 4436 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe Token: SeDebugPrivilege 5024 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exedescription pid process target process PID 4436 wrote to memory of 5024 4436 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe CTS.exe PID 4436 wrote to memory of 5024 4436 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe CTS.exe PID 4436 wrote to memory of 5024 4436 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:81⤵PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD56eaf1dbc21a31839455cb96dfc56b6bb
SHA1c0914f3ca85a3f091954bf5727855294b88bc243
SHA2564b2408dce2361ebaeda9dcb506114d6825f0025c637586e0755b568fa8e81acf
SHA512cab2a2f8153e63ea16b97f20b6712939505adad1fcbb550fef5b3c6e37d71187feb3b8839a95d21c34563cad35511726d54dc099e0eebf42553f8b0484fc58ed
-
Filesize
259KB
MD56a4951e117bc3b0c3ba7748fdd030a89
SHA1dbdfbcc77279ccb221164d161dbecd83ec4b8d62
SHA2566e5be00ff4852c40cf5a193131b98c8727f44a6d9e1cac6c482b48bb7816d1aa
SHA512d6ab24f65e735ae6f80e88a2f841beedaa780214b20ff14ec3bf91458ff819244a6035585b1b3cdbdb482cd0528a2a853b5b98227af55f37253e9f55cfa43948
-
Filesize
80KB
MD5ec704028ad7125c2fa52e04dc68c0ca3
SHA12a63f27d0138696c9c27a9ea2534e8f2ca11ddc4
SHA2565f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf
SHA512a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160