Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-x2v3dsce37
Target 22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55
SHA256 22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55

Threat Level: Shows suspicious behavior

The file 22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:21

Reported

2024-04-07 19:24

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mLPAzkTG2z69GZ7.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe

"C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe"

C:\Users\Admin\AppData\Local\Temp\mLPAzkTG2z69GZ7.exe

C:\Users\Admin\AppData\Local\Temp\mLPAzkTG2z69GZ7.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\mLPAzkTG2z69GZ7.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

memory/1824-13-0x00000000011D0000-0x00000000011F8000-memory.dmp

memory/1824-14-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/1824-15-0x000000001AD60000-0x000000001ADE0000-memory.dmp

memory/1824-16-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:21

Reported

2024-04-07 19:24

Platform

win10v2004-20240226-en

Max time kernel

114s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G8knCJIGhDtBRXV.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe

"C:\Users\Admin\AppData\Local\Temp\22bbe420096ec62f8e226a41aff3c3fde3ba8d9b606e1c351aa67a97e7526f55.exe"

C:\Users\Admin\AppData\Local\Temp\G8knCJIGhDtBRXV.exe

C:\Users\Admin\AppData\Local\Temp\G8knCJIGhDtBRXV.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\G8knCJIGhDtBRXV.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

memory/1988-9-0x0000000000720000-0x0000000000748000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 17fd7f5cced11a10ebdba48895aedd0d
SHA1 795111f72a25f12caa84754cbdb7a5dc8a58974d
SHA256 3045ceaab674711002ef96ead8735544b5f32e0de253ba8e27ff6bfcf141ad51
SHA512 d25a4f40bf108e4b445c6fc105319fd8d8cd1b47562b17c2c8b36b81298f2e67a6daf8fb6915e84bdce94f9a719087cba152d9c9d458f51b7ab06daa4c3fdbf8

memory/1988-19-0x00007FFB1ADA0000-0x00007FFB1B861000-memory.dmp

memory/1988-31-0x00007FFB1ADA0000-0x00007FFB1B861000-memory.dmp