06b61ef008c44c0f0f56c57c1292dbb04b16c03f569c398ffe9082e3a72963cc

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223aa8e7cd00601dd13a849875558c08.exe
Size

665KB
MD5

223aa8e7cd00601dd13a849875558c08
SHA1

82f3c8f54572e684acee1e91663cceb1084ccdca
SHA256

06b61ef008c44c0f0f56c57c1292dbb04b16c03f569c398ffe9082e3a72963cc
SHA512

8bba1f981a7eaa97cf4c409505f0c8f25defb5d6b939070c8146fe4da561777ff613ec0d6c3773f852f25390e256c8cb94190a3ae4aca5c038dc84e35d7545b0
SSDEEP

12288:5Bzdl+a78TmsXpXNqe7mqeJLIIQQVQ8Mzk8/XZg2tdFGLwtUGIWFaifXJ0O:nf+aeP91WSzBftdMyfI+akd

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2956	iD8nU7pfR4cQcuy.exe
1216	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	223aa8e7cd00601dd13a849875558c08.exe
2032	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	223aa8e7cd00601dd13a849875558c08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	223aa8e7cd00601dd13a849875558c08.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	223aa8e7cd00601dd13a849875558c08.exe
Token: SeDebugPrivilege	1216	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2956	2044	223aa8e7cd00601dd13a849875558c08.exe	28
PID 2044 wrote to memory of 2956	2044	223aa8e7cd00601dd13a849875558c08.exe	28
PID 2044 wrote to memory of 2956	2044	223aa8e7cd00601dd13a849875558c08.exe	28
PID 2044 wrote to memory of 2956	2044	223aa8e7cd00601dd13a849875558c08.exe	28
PID 2044 wrote to memory of 1216	2044	223aa8e7cd00601dd13a849875558c08.exe	30
PID 2044 wrote to memory of 1216	2044	223aa8e7cd00601dd13a849875558c08.exe	30
PID 2044 wrote to memory of 1216	2044	223aa8e7cd00601dd13a849875558c08.exe	30
PID 2044 wrote to memory of 1216	2044	223aa8e7cd00601dd13a849875558c08.exe	30

C:\Users\Admin\AppData\Local\Temp\223aa8e7cd00601dd13a849875558c08.exe
"C:\Users\Admin\AppData\Local\Temp\223aa8e7cd00601dd13a849875558c08.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\iD8nU7pfR4cQcuy.exe
  C:\Users\Admin\AppData\Local\Temp\iD8nU7pfR4cQcuy.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iD8nU7pfR4cQcuy.exe

Filesize
665KB

MD5
b964464b46bf580bd06d4b88179826b9

SHA1
3eb3794350068860da124f2e0489d08972bc9f74

SHA256
04952871891175ba33758c1e7b45b90b59c851c051804c760d1e267249337e1b

SHA512
897a254ae1988c186e3e93c3e85a06871ba4947253fa6d93f2203fe86bc99fd86d8c28f8f2701b3a4cf4197b53cd7000aec177db75c5c129c89c3d285b6804fb

Download Submit
C:\Windows\CTS.exe

Filesize
80KB

MD5
ec704028ad7125c2fa52e04dc68c0ca3

SHA1
2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4

SHA256
5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf

SHA512
a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

Download Submit
\Users\Admin\AppData\Local\Temp\iD8nU7pfR4cQcuy.exe

Filesize
584KB

MD5
487138792576238d76ad63497f050803

SHA1
48379948ed6a93c4df1116b51d33e15627d67945

SHA256
3515e307cf21fe8f37112b3a6e79c3c3b50aa202cc000df4bbf3343f083a2f70

SHA512
b163fd09be5db2e20ec91745fdcc1615d6c71758d1309a33d4a27c5f57c6259ff11a120d4d58e281b26e59fcf90f982d1bd91a21b5e4883dc8e9537eccc46425

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads