Analysis Overview
SHA256
bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba
Threat Level: Known bad
The file bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 00:51
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 00:51
Reported
2024-04-08 00:54
Platform
win7-20240221-en
Max time kernel
141s
Max time network
118s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
| PID 1688 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
| PID 1688 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
| PID 1688 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe
"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/1688-0-0x00000000011D0000-0x00000000011E7000-memory.dmp
memory/1688-9-0x00000000011D0000-0x00000000011E7000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 286211b8e0aad0533c45d8b8c351cc70 |
| SHA1 | cb54a305a566c00742fb972c4ee62266e880ea78 |
| SHA256 | 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3 |
| SHA512 | 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35 |
memory/1872-12-0x0000000001200000-0x0000000001217000-memory.dmp
memory/1688-5-0x00000000000E0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZQANPYL0kzqb3W9.exe
| MD5 | e14e80f9d49474687848ffd71df4e81a |
| SHA1 | 9bc934fea200fd8645861ea50deb8142ab23538f |
| SHA256 | aa143b1ad1f27a924561ce6ebafcde2cb54073640e9b78519b2fbf815df401fc |
| SHA512 | 3c890f4712df1a7328da14f54daa74710be42f9c9244cc3cbb9e202d4e9267142814e79767b7aa3363384c500f3125d83d22c3d345785f61bf9654952f83bff8 |
memory/1688-19-0x00000000000E0000-0x00000000000F7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 00:51
Reported
2024-04-08 00:54
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 628 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
| PID 628 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
| PID 628 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe
"C:\Users\Admin\AppData\Local\Temp\bb2c74ad236495ece5a6d4b727a9607b4e1b2f5c75944c1ede7254e17a564fba.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/628-0-0x0000000000D70000-0x0000000000D87000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 286211b8e0aad0533c45d8b8c351cc70 |
| SHA1 | cb54a305a566c00742fb972c4ee62266e880ea78 |
| SHA256 | 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3 |
| SHA512 | 91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35 |
memory/628-6-0x0000000000D70000-0x0000000000D87000-memory.dmp
memory/2052-8-0x0000000000DB0000-0x0000000000DC7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 250b4c2c6aaab7b3cda32a38a76efdff |
| SHA1 | 28591a58c3242b1da0c721efdcf2ee275c9ba728 |
| SHA256 | c1cb60b74f770a6069789bc61b55264e5f118f7ac0f006874f418764c3c7d3db |
| SHA512 | f0493fff506a4015d633f2ca24f0f74737a1834d2f0e4cd23ab9568ef292d76a5c826c456da688eb10891a6eb33034ab6b094133c257334ec6fa96b0311b6a49 |
C:\Users\Admin\AppData\Local\Temp\QA30hwqdS6ZlRtW.exe
| MD5 | 21be89cc3377f868338f3d93fc73e68b |
| SHA1 | 8b2f4b88a55d6f6966199527c22b711db607021f |
| SHA256 | c8fbfb1bbf1586d50ef41573a61265d6c94cfc3edf9f827f3afda693aa9de046 |
| SHA512 | dc88e872238b6e3a51b996fdddbf5f40e5f666e44f7e58e8a891272070cb70c8371debcfbdbd6c4304138f0631661f84a4242f7bdcdcea40f1feb139076b9be0 |
memory/2052-31-0x0000000000DB0000-0x0000000000DC7000-memory.dmp