Malware Analysis Report

2024-11-30 04:05

Sample ID 240408-a7vbqabh25
Target bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba
SHA256 bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba

Threat Level: Known bad

The file bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 00:51

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 00:51

Reported

2024-04-08 00:54

Platform

win7-20240221-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe

"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1688-0-0x00000000011D0000-0x00000000011E7000-memory.dmp

memory/1688-9-0x00000000011D0000-0x00000000011E7000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/1872-12-0x0000000001200000-0x0000000001217000-memory.dmp

memory/1688-5-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZQANPYL0kzqb3W9.exe

MD5 e14e80f9d49474687848ffd71df4e81a
SHA1 9bc934fea200fd8645861ea50deb8142ab23538f
SHA256 aa143b1ad1f27a924561ce6ebafcde2cb54073640e9b78519b2fbf815df401fc
SHA512 3c890f4712df1a7328da14f54daa74710be42f9c9244cc3cbb9e202d4e9267142814e79767b7aa3363384c500f3125d83d22c3d345785f61bf9654952f83bff8

memory/1688-19-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 00:51

Reported

2024-04-08 00:54

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe

"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/628-0-0x0000000000D70000-0x0000000000D87000-memory.dmp

C:\Windows\CTS.exe

MD5 286211b8e0aad0533c45d8b8c351cc70
SHA1 cb54a305a566c00742fb972c4ee62266e880ea78
SHA256 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
SHA512 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

memory/628-6-0x0000000000D70000-0x0000000000D87000-memory.dmp

memory/2052-8-0x0000000000DB0000-0x0000000000DC7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 250b4c2c6aaab7b3cda32a38a76efdff
SHA1 28591a58c3242b1da0c721efdcf2ee275c9ba728
SHA256 c1cb60b74f770a6069789bc61b55264e5f118f7ac0f006874f418764c3c7d3db
SHA512 f0493fff506a4015d633f2ca24f0f74737a1834d2f0e4cd23ab9568ef292d76a5c826c456da688eb10891a6eb33034ab6b094133c257334ec6fa96b0311b6a49

C:\Users\Admin\AppData\Local\Temp\QA30hwqdS6ZlRtW.exe

MD5 21be89cc3377f868338f3d93fc73e68b
SHA1 8b2f4b88a55d6f6966199527c22b711db607021f
SHA256 c8fbfb1bbf1586d50ef41573a61265d6c94cfc3edf9f827f3afda693aa9de046
SHA512 dc88e872238b6e3a51b996fdddbf5f40e5f666e44f7e58e8a891272070cb70c8371debcfbdbd6c4304138f0631661f84a4242f7bdcdcea40f1feb139076b9be0

memory/2052-31-0x0000000000DB0000-0x0000000000DC7000-memory.dmp