751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d

General

Target

751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
Size

27KB
MD5

997cfd640be6243a2add974d9bf9e105
SHA1

471275f0c3420076a77be13f17fb408f75409ce2
SHA256

751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d
SHA512

67099eebd89075b80cd3482c7a29d9b1726a90816da1bfea1ecd1c08915a2f3e9d8ddd142aac1bff73f9aed2a59a59c0bb0968f773578138bf7bafc561fe51d6
SSDEEP

768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCML:N5VzcfA/6LrVpL74gfh16nL

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000E60000-0x0000000000E78000-memory.dmp	UPX
behavioral1/memory/3028-5-0x00000000000E0000-0x00000000000F8000-memory.dmp	UPX
behavioral1/files/0x0031000000015d9c-8.dat	UPX
behavioral1/memory/2948-13-0x0000000000910000-0x0000000000928000-memory.dmp	UPX
behavioral1/memory/3028-10-0x0000000000E60000-0x0000000000E78000-memory.dmp	UPX
behavioral1/files/0x000b00000001431b-15.dat	UPX

Executes dropped EXE 1 IoCs

pid	Process
2948	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000E60000-0x0000000000E78000-memory.dmp	upx
behavioral1/memory/3028-5-0x00000000000E0000-0x00000000000F8000-memory.dmp	upx
behavioral1/files/0x0031000000015d9c-8.dat	upx
behavioral1/memory/2948-13-0x0000000000910000-0x0000000000928000-memory.dmp	upx
behavioral1/memory/3028-10-0x0000000000E60000-0x0000000000E78000-memory.dmp	upx
behavioral1/files/0x000b00000001431b-15.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
Token: SeDebugPrivilege	2948	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2948	3028	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe	28
PID 3028 wrote to memory of 2948	3028	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe	28
PID 3028 wrote to memory of 2948	3028	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe	28
PID 3028 wrote to memory of 2948	3028	751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe	28

C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe
"C:\Users\Admin\AppData\Local\Temp\751003cbbfbae322a2d3d60ac00ddd89cb4ba3bb5ef1a60048d585125a55476d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mI2n5t9uigPh9QU.exe

Filesize
27KB

MD5
588df9c67151d9b3914e44fe78787b25

SHA1
d1ca7fc3e36a155e6105e281031da055181ca236

SHA256
7cf6bae6bc936354554ac0da5393817dc4bbc0a2cc1db948f4feb760c3f03665

SHA512
8ad1afe1ae87c886aace82e8105bb41752d333d4b4d159d0cb3485c18984eb5bf7b814c744c84b80e87675999021f68d91b53437fbba052ead3254de1a00988f

Download Submit
C:\Windows\CTS.exe

Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/2948-13-0x0000000000910000-0x0000000000928000-memory.dmp

Filesize
96KB

Download
memory/3028-0-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download
memory/3028-5-0x00000000000E0000-0x00000000000F8000-memory.dmp

Filesize
96KB

Download
memory/3028-10-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads