Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 22:48 UTC

General

  • Target

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe

  • Size

    27KB

  • MD5

    997cfd640be6243a2add974d9bf9e105

  • SHA1

    471275f0c3420076a77be13f17fb408f75409ce2

  • SHA256

    751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d

  • SHA512

    67099eebd89075b80cd3482c7a29d9b1726a90816da1bfea1ecd1c08915a2f3e9d8ddd142aac1bff73f9aed2a59a59c0bb0968f773578138bf7bafc561fe51d6

  • SSDEEP

    768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCML:N5VzcfA/6LrVpL74gfh16nL

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
    "C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mI2n5t9uigPh9QU.exe

    Filesize

    27KB

    MD5

    588df9c67151d9b3914e44fe78787b25

    SHA1

    d1ca7fc3e36a155e6105e281031da055181ca236

    SHA256

    7cf6bae6bc936354554ac0da5393817dc4bbc0a2cc1db948f4feb760c3f03665

    SHA512

    8ad1afe1ae87c886aace82e8105bb41752d333d4b4d159d0cb3485c18984eb5bf7b814c744c84b80e87675999021f68d91b53437fbba052ead3254de1a00988f

  • C:\Windows\CTS.exe

    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

  • memory/2948-13-0x0000000000910000-0x0000000000928000-memory.dmp

    Filesize

    96KB

  • memory/3028-0-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB

  • memory/3028-5-0x00000000000E0000-0x00000000000F8000-memory.dmp

    Filesize

    96KB

  • memory/3028-10-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.