63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe
Size

71KB
MD5

1c18861744413511313ff3ca6de2b6c0
SHA1

564684474c0cbf0ae5e34238cff836b73cd2ab5d
SHA256

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c
SHA512

5af598616b68ff2b47ec346d8df76db65eae68a32a906f4863e3e0906faad1405c55f900e2eb7aa2e2c8694063ceabf83f0a54037f8549c9977e0a57075f0a5a
SSDEEP

1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazThS:ZhpAyazIlyazThS

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

4664 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4664	CTS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exeCTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exeCTS.exe

description	pid	process
Token: SeDebugPrivilege	112	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe
Token: SeDebugPrivilege	4664	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe

description	pid	process	target process
PID 112 wrote to memory of 4664	112	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe	CTS.exe
PID 112 wrote to memory of 4664	112	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe	CTS.exe
PID 112 wrote to memory of 4664	112	63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe
"C:\Users\Admin\AppData\Local\Temp\63b383f8c6a1cc671bdcc5383982db97163a28bb601413fd94e4261a047d782c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
789KB

MD5
af8e9b8d4d4432ab3353ee21e6db9bd7

SHA1
b86361cc5ae24567c6060d32861c03abed7d49fc

SHA256
bcec1253c301b28446c2e46e367f2cb4969f9e0363faa8b24d20b9e136b0b4c7

SHA512
497e803e08f769f9e842c20a67bd03e454e37082d30291e4068e81d82a4dab52f54365f643cbf67143b1abf04b8502c25ec58fc59291dd0d9f9ffe3475acce94

Download Submit
C:\Users\Admin\AppData\Local\Temp\76ndbmEKKeJ3pFq.exe

Filesize
71KB

MD5
5e12b48a002d736cd232f79d6b1ef506

SHA1
7601a378870d6fe6a6d08acff7c13171f4abdad9

SHA256
9946896c10fef71f95a004ccf487e46a38fa2303fa6879fd8eff404207e59b70

SHA512
737b29f6e57053adb17ed6ca0ef815a19287c09668a55ed15435f9eac73e11ec2f157209bf3845e16fd85a2de1c784407ee6e295e55376daf371f7a75c7c2efb

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit