Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3p1p1aac47
Target 993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa
SHA256 993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa

Threat Level: Shows suspicious behavior

The file 993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:42

Reported

2024-04-07 23:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe

"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Temp\M8S64oOxg7UoRRb.exe

MD5 42a6e466693343a2bf761b139e5d1081
SHA1 6e070f7fb3f52674edd6f8f4ab3c0bb7d519f312
SHA256 ca0eda1255d46dd67a33557d1a34e9e63325c1c2fe4c45bf7cb189d5a288cc6a
SHA512 a5f4bb3c619e271442792a3518084855814480bcf9ebfff7b7fc515dab57f3212a42061994d921d870087900f642e28a3f7d74832ef4a5d129544d529d0c6a45

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:42

Reported

2024-04-07 23:44

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe

"C:\Users\Admin\AppData\Local\Temp\993a491d0a6ade56021be52ae5ddcde52daeeb009389e5820e410ba3d173abfa.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 9b84af998ab5ac3862855c2065c5ffe3
SHA1 01ca00b9bc581cf71a6777f78e2fa1fc3f341fba
SHA256 c3fa3299bb103de10b4385a8511129bbccc02c8fa6136947e513896bb8a92ee7
SHA512 0e56107110d7a7463f939c6aebb65193555efe7d7e501908dcb735eced54b6a5db0341af30554164dfa0edfc4f54fa0864b45168aedfdb693eb649cd80935a17

C:\Users\Admin\AppData\Local\Temp\VdRKjyxo5rhIiaH.exe

MD5 58ac89b650cc2c2e9d4c7b89be7d1433
SHA1 e0153f4d16e5b3db3294079e2bfb5a72f5e11bb0
SHA256 c1962d74bd6165daa9b019660e3e10487dd635d2f52035d9f25aebb75f1d045c
SHA512 f1ac5724df853326fe74d02fa495dfcc7071b255d5ea242b935a6e38cf82cb0ae1b57efc1117c7115ec068e4cf465fd80e09daaa8ad31787b33be259f66be979