Analysis Overview
SHA256
8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56
Threat Level: Shows suspicious behavior
The file 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:15
Reported
2024-04-07 23:18
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4436 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
| PID 4436 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
| PID 4436 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | ec704028ad7125c2fa52e04dc68c0ca3 |
| SHA1 | 2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4 |
| SHA256 | 5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf |
| SHA512 | a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 6eaf1dbc21a31839455cb96dfc56b6bb |
| SHA1 | c0914f3ca85a3f091954bf5727855294b88bc243 |
| SHA256 | 4b2408dce2361ebaeda9dcb506114d6825f0025c637586e0755b568fa8e81acf |
| SHA512 | cab2a2f8153e63ea16b97f20b6712939505adad1fcbb550fef5b3c6e37d71187feb3b8839a95d21c34563cad35511726d54dc099e0eebf42553f8b0484fc58ed |
C:\Users\Admin\AppData\Local\Temp\3054WXzmq77A4ne.exe
| MD5 | 6a4951e117bc3b0c3ba7748fdd030a89 |
| SHA1 | dbdfbcc77279ccb221164d161dbecd83ec4b8d62 |
| SHA256 | 6e5be00ff4852c40cf5a193131b98c8727f44a6d9e1cac6c482b48bb7816d1aa |
| SHA512 | d6ab24f65e735ae6f80e88a2f841beedaa780214b20ff14ec3bf91458ff819244a6035585b1b3cdbdb482cd0528a2a853b5b98227af55f37253e9f55cfa43948 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:15
Reported
2024-04-07 23:18
Platform
win7-20240221-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1268 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
| PID 1268 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
| PID 1268 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
| PID 1268 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe
"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | ec704028ad7125c2fa52e04dc68c0ca3 |
| SHA1 | 2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4 |
| SHA256 | 5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf |
| SHA512 | a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160 |
C:\Users\Admin\AppData\Local\Temp\cYdKEDvYUvmEu1r.exe
| MD5 | f4935e39cd1008b6677ecaff658b51d4 |
| SHA1 | c88f99bb82cbbf96992c36b61f6c614a15abc9d6 |
| SHA256 | ebc4c06b7d95e74e315419ee7e88e1d0f71e9e9477538c00a93a9ff8c66a6cfc |
| SHA512 | b69050b1ee3a201d52a88742d7f441e5ea1cf5213729cccc634577807a1579c13f24d5ff28567d7dfa09633b21ffc51af7b44c0dbd82c0f5dd477aad72246906 |