Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 23:15

General

  • Target

    8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe

  • Size

    259KB

  • MD5

    344a42c7fa0f48108bbe1832d75b4296

  • SHA1

    a0b273d216487ea79096616a4225c157f522e967

  • SHA256

    8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56

  • SHA512

    d97499d427815c6dd90a38ca117783f796c63afa3cbd54c6889b7d9c979894b850aee460df7c8fbaa93fc74dacda4a64d6e94d9d8b52104f5980917738d075c5

  • SSDEEP

    3072:kjr87SHQ/x7HmifDvzgN4G94Am5rpOqDr4f22ySnxucAVsQMos854h7Pegb/sH:5vAciOrVwpnxTKs5oZCU

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
    "C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      403KB

      MD5

      6eaf1dbc21a31839455cb96dfc56b6bb

      SHA1

      c0914f3ca85a3f091954bf5727855294b88bc243

      SHA256

      4b2408dce2361ebaeda9dcb506114d6825f0025c637586e0755b568fa8e81acf

      SHA512

      cab2a2f8153e63ea16b97f20b6712939505adad1fcbb550fef5b3c6e37d71187feb3b8839a95d21c34563cad35511726d54dc099e0eebf42553f8b0484fc58ed

    • C:\Users\Admin\AppData\Local\Temp\3054WXzmq77A4ne.exe

      Filesize

      259KB

      MD5

      6a4951e117bc3b0c3ba7748fdd030a89

      SHA1

      dbdfbcc77279ccb221164d161dbecd83ec4b8d62

      SHA256

      6e5be00ff4852c40cf5a193131b98c8727f44a6d9e1cac6c482b48bb7816d1aa

      SHA512

      d6ab24f65e735ae6f80e88a2f841beedaa780214b20ff14ec3bf91458ff819244a6035585b1b3cdbdb482cd0528a2a853b5b98227af55f37253e9f55cfa43948

    • C:\Windows\CTS.exe

      Filesize

      80KB

      MD5

      ec704028ad7125c2fa52e04dc68c0ca3

      SHA1

      2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4

      SHA256

      5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf

      SHA512

      a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160