Malware Analysis Report

2024-11-30 02:36

Sample ID 240407-wzpxxsah21
Target 07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db
SHA256 07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db
Tags
persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db

Threat Level: Known bad

The file 07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:21

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:21

Reported

2024-04-07 18:24

Platform

win7-20240220-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe

"C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2912-0-0x0000000000920000-0x0000000000937000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/2912-12-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/2912-9-0x0000000000920000-0x0000000000937000-memory.dmp

memory/2912-8-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/2996-13-0x0000000000CF0000-0x0000000000D07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bj88cpKBWK3W0Sc.exe

MD5 21ac1192d5ef5d89cab17671df0c89a9
SHA1 fd5eccff33f8fa4ea7b27dea52d8cb810e30638d
SHA256 7dea05bbe778cd3c7547734aea1da5e91f7ae786d5b8ff6ca1456d6e3dd602fd
SHA512 26f1a30a9ac40b3ecc05fbccbb11ca05c9156f37ef8db35c3014b618b0a62a52e0452377f833aa5cc559fde55fb42c6a13e902450c678206e04d802ac5c4550c

memory/2912-19-0x00000000002F0000-0x0000000000307000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:21

Reported

2024-04-07 18:24

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe

"C:\Users\Admin\AppData\Local\Temp\07f62baa55ebe10d5e77b3a8f8a853fdb65586f10f8b421e146b448fd784c2db.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1804-0-0x0000000000940000-0x0000000000957000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/1804-8-0x0000000000940000-0x0000000000957000-memory.dmp

memory/3024-9-0x0000000000320000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 e3ec22e12bd6ec70f8024cdc00975e45
SHA1 26a17a11ed3de172ae9c60374eed698834889127
SHA256 142f55f3c94a634d08afcfb963fa19d86df8b2d86ede6be649d1d177667f3044
SHA512 2b1aac771f9d5b8f771da95e0bdcd450e418a38c9505247a04d6d0e225950852299e635bd0e700113d68bdde5e534b15710cca289795aa2b10691985f9576800

C:\Users\Admin\AppData\Local\Temp\yI47K1NsiPy1Qu3.exe

MD5 04499faa01bc85a17b751cabf58f5da3
SHA1 d9ecc80360870e03f8402d7fb19f90a3767ec48f
SHA256 6f2ed6065ec2c057cf3997eebc723551407c00457e8bb79bc9cc83abc98ad729
SHA512 ea05fe8e2bcea768019a730efd324a2b920005e0a07e0f98eb1015de8f8f3cfd4d2962b7def3ba853ee641bfeb8e842a0de44657cb25d51186bd9d83d652e416