Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 19:25
Behavioral task
behavioral1
Sample
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe
Resource
win10v2004-20240426-en
General
-
Target
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe
-
Size
266KB
-
MD5
1f9b41e5897be069ac12e8ed31bbdff0
-
SHA1
a2a25321ae0795f7c153f864fd1129ed7c04463d
-
SHA256
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070
-
SHA512
167532565ce8158d46beafc461c8f87a394fc6c18af93f9999da5a4069130af12fee1b0b5932bba2e05328e450226398e5be452c9b853a91cce0afc53949434a
-
SSDEEP
6144:oZb2qa7hSrXqp2Rwsg6e9Q7OrM/ZVkLzL:ooq0hSbqcwtIWMxVkz
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-0-0x0000000000E30000-0x0000000000E48000-memory.dmp UPX C:\Windows\CTS.exe UPX behavioral1/memory/2864-10-0x0000000000330000-0x0000000000348000-memory.dmp UPX behavioral1/memory/1764-8-0x0000000000E30000-0x0000000000E48000-memory.dmp UPX C:\Users\Admin\AppData\Local\Temp\Ko4irz90ViqGoo7.exe UPX behavioral1/memory/2864-15-0x0000000000330000-0x0000000000348000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 2864 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1764-0-0x0000000000E30000-0x0000000000E48000-memory.dmp upx C:\Windows\CTS.exe upx behavioral1/memory/2864-10-0x0000000000330000-0x0000000000348000-memory.dmp upx behavioral1/memory/1764-8-0x0000000000E30000-0x0000000000E48000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Ko4irz90ViqGoo7.exe upx behavioral1/memory/2864-15-0x0000000000330000-0x0000000000348000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exeCTS.exedescription pid process Token: SeDebugPrivilege 1764 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe Token: SeDebugPrivilege 2864 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exedescription pid process target process PID 1764 wrote to memory of 2864 1764 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe CTS.exe PID 1764 wrote to memory of 2864 1764 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe CTS.exe PID 1764 wrote to memory of 2864 1764 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe CTS.exe PID 1764 wrote to memory of 2864 1764 246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe"C:\Users\Admin\AppData\Local\Temp\246333010e12b606190c247d03270fedd1ae76186fe14b0172a9fe15e6d50070.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ko4irz90ViqGoo7.exeFilesize
266KB
MD539af12dd0f3b02e404313d7ac7b90d21
SHA16398863137891c0fbabda46ee2e28884976ea34b
SHA2564019ef6f109c0fa529a55b81c76e1224f0fc99d14994ceabb87b33bca3d13b47
SHA51259a32852900a98e50f7dc77930acf25607034f1a9e43e484de0fec9244ce9ad9bd05647b1a4de6b91506cc82ee0bd1a7eb6ef5f4c385d9f93c8a9aaa4a3cd8f2
-
C:\Windows\CTS.exeFilesize
80KB
MD5b596af3e5821c709a22c661155600a7e
SHA19c1563c6c6374f63d8cf92098a5780d614ff7759
SHA25662ca133a4dac1f07c692b02092b18fa72fffb435be0e52a89e4e4f22c9f53624
SHA512ddbe2fcad0ace16e2c92a4ca3e499c1639bbc6b40bf8c9549cad133ef7e1f6431ea90f7be27cf7de393328564715ec38e2a829adc7e7b64d69aa90eed99e9baf
-
memory/1764-0-0x0000000000E30000-0x0000000000E48000-memory.dmpFilesize
96KB
-
memory/1764-8-0x0000000000E30000-0x0000000000E48000-memory.dmpFilesize
96KB
-
memory/2864-10-0x0000000000330000-0x0000000000348000-memory.dmpFilesize
96KB
-
memory/2864-15-0x0000000000330000-0x0000000000348000-memory.dmpFilesize
96KB