4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe
Size

26KB
MD5

dcb5efe8d4c9d47ada4c6c7993e6af3c
SHA1

a7406d7ae2d81de49c7355d3100266b5deb02785
SHA256

4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e
SHA512

0a211112ddb0a2aa6dfd30a2fd07e4f81fc7231b2b23dd5fd02713efab372c8b21456a7e568d3cc3e14a96381295c9dc45ba3ed442f28c32ac34e784ecc047e9
SSDEEP

768:XkX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIoa:6KcR4mjD9r825

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/3348-0-0x00000000008B0000-0x00000000008C7000-memory.dmp	UPX
behavioral2/files/0x00080000000233f7-5.dat	UPX
behavioral2/memory/3348-6-0x00000000008B0000-0x00000000008C7000-memory.dmp	UPX
behavioral2/memory/5048-8-0x0000000000E70000-0x0000000000E87000-memory.dmp	UPX
behavioral2/files/0x0003000000022952-11.dat	UPX
behavioral2/files/0x000300000001e970-29.dat	UPX

Executes dropped EXE 1 IoCs

pid	Process
5048	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3348-0-0x00000000008B0000-0x00000000008C7000-memory.dmp	upx
behavioral2/files/0x00080000000233f7-5.dat	upx
behavioral2/memory/3348-6-0x00000000008B0000-0x00000000008C7000-memory.dmp	upx
behavioral2/memory/5048-8-0x0000000000E70000-0x0000000000E87000-memory.dmp	upx
behavioral2/files/0x0003000000022952-11.dat	upx
behavioral2/files/0x000300000001e970-29.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe
Token: SeDebugPrivilege	5048	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 5048	3348	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe	87
PID 3348 wrote to memory of 5048	3348	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe	87
PID 3348 wrote to memory of 5048	3348	4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe	87

C:\Users\Admin\AppData\Local\Temp\4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe
"C:\Users\Admin\AppData\Local\Temp\4f78fc588390cff7677d5e68f78c4777b7a4a5434784562aa5e972b10ee4995e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
349KB

MD5
e20edb54c3844caade3eb2119f38a7a0

SHA1
93d466ae1de17486b0d2907c83d4f0ad955c0588

SHA256
ff6836cdc489c8c615313790cf5636de4cf2c222698637bf56f6b82fc74f2099

SHA512
187a9a6cffbd3393c4cacf816c46333f3da3cee316a41fc3ce8585056556c1dae371bc6d17bf5c39a04f6230f6c5e86d6454b4780d36b1f81eac133584154657

Download Submit
C:\Users\Admin\AppData\Local\Temp\keqPMPdFkKo3MUr.exe

Filesize
26KB

MD5
d64f2c45cbc2b84139dac76feec06ec6

SHA1
38ef1bfa17c1eff8849719894e5ec1aa27633025

SHA256
485d20f504bfa675dc4e03546748d371b2ed240798361468c8a41b99c57b883f

SHA512
6b9d71aa86852b45c3b9f07f8e6764e0c38ca7ead45230354dffddd14bc96712654dfabbb8f73b9e2a9080fcb48946dad03d50cfa7aaab268ae6d5913463e222

Download Submit
C:\Windows\CTS.exe

Filesize
26KB

MD5
286211b8e0aad0533c45d8b8c351cc70

SHA1
cb54a305a566c00742fb972c4ee62266e880ea78

SHA256
1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3

SHA512
91eddd484a40aee3a7a9254fd6843b3d9dd455e6a2c4d685d499ab1704d8644a6dc604ad14449e96b0754ae3e6c1c14c16d068605aa4e39840e0421aa7a4be35

Download Submit
memory/3348-0-0x00000000008B0000-0x00000000008C7000-memory.dmp

Filesize
92KB

Download
memory/3348-6-0x00000000008B0000-0x00000000008C7000-memory.dmp

Filesize
92KB

Download
memory/5048-8-0x0000000000E70000-0x0000000000E87000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads