Analysis Overview
SHA256
993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa
Threat Level: Shows suspicious behavior
The file 993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:42
Reported
2024-04-07 23:44
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2940 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
| PID 2940 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
| PID 2940 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
| PID 2940 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe
"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Temp\M8S64oOxg7UoRRb.exe
| MD5 | 42a6e466693343a2bf761b139e5d1081 |
| SHA1 | 6e070f7fb3f52674edd6f8f4ab3c0bb7d519f312 |
| SHA256 | ca0eda1255d46dd67a33557d1a34e9e63325c1c2fe4c45bf7cb189d5a288cc6a |
| SHA512 | a5f4bb3c619e271442792a3518084855814480bcf9ebfff7b7fc515dab57f3212a42061994d921d870087900f642e28a3f7d74832ef4a5d129544d529d0c6a45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:42
Reported
2024-04-07 23:44
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
| PID 1700 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
| PID 1700 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe
"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 66df4ffab62e674af2e75b163563fc0b |
| SHA1 | dec8a197312e41eeb3cfef01cb2a443f0205cd6e |
| SHA256 | 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163 |
| SHA512 | 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 9b84af998ab5ac3862855c2065c5ffe3 |
| SHA1 | 01ca00b9bc581cf71a6777f78e2fa1fc3f341fba |
| SHA256 | c3fa3299bb103de10b4385a8511129bbccc02c8fa6136947e513896bb8a92ee7 |
| SHA512 | 0e56107110d7a7463f939c6aebb65193555efe7d7e501908dcb735eced54b6a5db0341af30554164dfa0edfc4f54fa0864b45168aedfdb693eb649cd80935a17 |
C:\Users\Admin\AppData\Local\Temp\VdRKjyxo5rhIiaH.exe
| MD5 | 58ac89b650cc2c2e9d4c7b89be7d1433 |
| SHA1 | e0153f4d16e5b3db3294079e2bfb5a72f5e11bb0 |
| SHA256 | c1962d74bd6165daa9b019660e3e10487dd635d2f52035d9f25aebb75f1d045c |
| SHA512 | f1ac5724df853326fe74d02fa495dfcc7071b255d5ea242b935a6e38cf82cb0ae1b57efc1117c7115ec068e4cf465fd80e09daaa8ad31787b33be259f66be979 |