Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-28z25shd8z
Target 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56
SHA256 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56

Threat Level: Shows suspicious behavior

The file 8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:15

Reported

2024-04-07 23:18

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe

"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 ec704028ad7125c2fa52e04dc68c0ca3
SHA1 2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4
SHA256 5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf
SHA512 a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6eaf1dbc21a31839455cb96dfc56b6bb
SHA1 c0914f3ca85a3f091954bf5727855294b88bc243
SHA256 4b2408dce2361ebaeda9dcb506114d6825f0025c637586e0755b568fa8e81acf
SHA512 cab2a2f8153e63ea16b97f20b6712939505adad1fcbb550fef5b3c6e37d71187feb3b8839a95d21c34563cad35511726d54dc099e0eebf42553f8b0484fc58ed

C:\Users\Admin\AppData\Local\Temp\3054WXzmq77A4ne.exe

MD5 6a4951e117bc3b0c3ba7748fdd030a89
SHA1 dbdfbcc77279ccb221164d161dbecd83ec4b8d62
SHA256 6e5be00ff4852c40cf5a193131b98c8727f44a6d9e1cac6c482b48bb7816d1aa
SHA512 d6ab24f65e735ae6f80e88a2f841beedaa780214b20ff14ec3bf91458ff819244a6035585b1b3cdbdb482cd0528a2a853b5b98227af55f37253e9f55cfa43948

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:15

Reported

2024-04-07 23:18

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe

"C:\Users\Admin\AppData\Local\Temp\8dfb073895c4a3f81920a488dc23dc9124d5048907697048e07845303d4fbe56.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 ec704028ad7125c2fa52e04dc68c0ca3
SHA1 2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4
SHA256 5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf
SHA512 a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

C:\Users\Admin\AppData\Local\Temp\cYdKEDvYUvmEu1r.exe

MD5 f4935e39cd1008b6677ecaff658b51d4
SHA1 c88f99bb82cbbf96992c36b61f6c614a15abc9d6
SHA256 ebc4c06b7d95e74e315419ee7e88e1d0f71e9e9477538c00a93a9ff8c66a6cfc
SHA512 b69050b1ee3a201d52a88742d7f441e5ea1cf5213729cccc634577807a1579c13f24d5ff28567d7dfa09633b21ffc51af7b44c0dbd82c0f5dd477aad72246906