f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7

General

Target

f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe
Size

130KB
MD5

662236e56942dc14166d8df75745f7c0
SHA1

6cf14671202cd5aee0782d8033b9aa696d77e4bc
SHA256

f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7
SHA512

5379a4baee8b94d9d0942fe5b235ada59d1f80e8b3448a6f18d91f9b92bf39118b900862a617f87072f041cec3b1f302ab0e93654bf2066fb44b07b46d44556b
SSDEEP

3072:/V2A/gVh74gpg6lzqoXw34ms6yE9MmQcuSBcn1+LinSs3KDGAL8Q:/MAoVNTw3Dlb4cu2c1++nSsaqAQQ

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral2/memory/3872-0-0x0000000000A40000-0x0000000000A58000-memory.dmp	UPX
behavioral2/memory/3872-8-0x0000000000A40000-0x0000000000A58000-memory.dmp	UPX
behavioral2/files/0x0007000000023270-7.dat	UPX
behavioral2/memory/4628-9-0x00000000004D0000-0x00000000004E8000-memory.dmp	UPX
behavioral2/files/0x0003000000022971-12.dat	UPX

Executes dropped EXE 2 IoCs

pid	Process
4888	SMyr1gVbwKso4aj.exe
4628	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3872-0-0x0000000000A40000-0x0000000000A58000-memory.dmp	upx
behavioral2/memory/3872-8-0x0000000000A40000-0x0000000000A58000-memory.dmp	upx
behavioral2/files/0x0007000000023270-7.dat	upx
behavioral2/memory/4628-9-0x00000000004D0000-0x00000000004E8000-memory.dmp	upx
behavioral2/files/0x0003000000022971-12.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe
Token: SeDebugPrivilege	4628	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4888	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe	85
PID 3872 wrote to memory of 4888	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe	85
PID 3872 wrote to memory of 4628	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe	87
PID 3872 wrote to memory of 4628	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe	87
PID 3872 wrote to memory of 4628	3872	f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe	87

C:\Users\Admin\AppData\Local\Temp\f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe
"C:\Users\Admin\AppData\Local\Temp\f5db3b7e09d544de9242eeac0befbbfb484827d05e982b025ed0efa82e7361c7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\SMyr1gVbwKso4aj.exe
  C:\Users\Admin\AppData\Local\Temp\SMyr1gVbwKso4aj.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
350KB

MD5
675310360f5c55523fb885a230a6ab2c

SHA1
ffecd705af3fb018a5b18790e729164cb2c27aba

SHA256
b5a940fa198be158eddc0fd66bd502f891541d9bbe4d88659236860565fa3323

SHA512
028374eb9b244da0d8dc30c17da6afc9c1f5d5729423a3c09bdc34cc981b9b5f5b456683eb5f8c80083ebffda5db763470148d71e0b682d4a44d5e58525f66e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMyr1gVbwKso4aj.exe

Filesize
103KB

MD5
40e6081a84568a750c469df520dd0ae1

SHA1
fcc160e9f213a7ce674861c9f4efab2b9f0b13d5

SHA256
b33db48ce11539130b143caa2eec3a38c439de13a2aeffed07cb9b89bcc82fd4

SHA512
91feb528a2c033d0f5261a6c244b640a988d1a42caf0b8bd144a458555a1172e9ac7b23d2ff9304366559008cf3f92445ce59398a3756c0ed3ef343b824f82a2

Download Submit
C:\Windows\CTS.exe

Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/3872-0-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/3872-8-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/4628-9-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads