89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f

General

Target

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
Size

153KB
MD5

30161800c1dd1970849576cbd8cf4d5a
SHA1

1d2aed14103f9583e257d92c0478f31377cea620
SHA256

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f
SHA512

ae1e00f2b94f988104e85363ae5f6808125ba77a7af28b4d51f9cf001489cdc652ad6d87c99d4a20d3e72c987954f77108f7d41141d4289cf0200ac44007125b
SSDEEP

3072:kjr87SHQ18FXMijWThdtkYlO/5H+I3Lj5oe:5v18F8btUYlGB+I7j5oe

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

bp1GyNPv1HtzWI3.exeCTS.exe

pid process

872 bp1GyNPv1HtzWI3.exe
2612 CTS.exe

pid	process
872	bp1GyNPv1HtzWI3.exe
2612	CTS.exe

Loads dropped DLL 3 IoCs

Processes:

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe

pid	process
2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
2696

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exeCTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exeCTS.exe

description	pid	process
Token: SeDebugPrivilege	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
Token: SeDebugPrivilege	2612	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe

description	pid	process	target process
PID 2348 wrote to memory of 872	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	bp1GyNPv1HtzWI3.exe
PID 2348 wrote to memory of 872	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	bp1GyNPv1HtzWI3.exe
PID 2348 wrote to memory of 872	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	bp1GyNPv1HtzWI3.exe
PID 2348 wrote to memory of 872	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	bp1GyNPv1HtzWI3.exe
PID 2348 wrote to memory of 2612	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	CTS.exe
PID 2348 wrote to memory of 2612	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	CTS.exe
PID 2348 wrote to memory of 2612	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	CTS.exe
PID 2348 wrote to memory of 2612	2348	89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe
"C:\Users\Admin\AppData\Local\Temp\89c590150580ea5381b7538d032a9ea24f0272cc15fa2153e9e298df9d9a080f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\bp1GyNPv1HtzWI3.exe
C:\Users\Admin\AppData\Local\Temp\bp1GyNPv1HtzWI3.exe
2⤵
- Executes dropped EXE
PID:872

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTS.exe
Filesize
80KB

MD5
ec704028ad7125c2fa52e04dc68c0ca3

SHA1
2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4

SHA256
5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf

SHA512
a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

Download Submit
\Users\Admin\AppData\Local\Temp\bp1GyNPv1HtzWI3.exe
Filesize
73KB

MD5
d2778164ef643ba8f44cc202ec7ef157

SHA1
31eee7114eed6b0d2fb77c9f3605057639050786

SHA256
28b001bb9a72ae7a24242bfab248d767a1ac5dec981c672a3944f7a072375e9a

SHA512
cb2a5a2aeba9d6f6bfc4a3a4576961244c109aafb59f02134b03ebac4d16602ee7f141cc4adc519f15030c20e7e7d6585778870706b2ea4c74c1161729101635

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads