Malware Analysis Report

2024-11-15 06:38

Sample ID 240604-bdcegsgd63
Target a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f
SHA256 a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f

Threat Level: Known bad

The file a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:01

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:01

Reported

2024-06-04 01:03

Platform

win7-20240508-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FsmWysgMwmTWXAZ.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe

"C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe"

C:\Users\Admin\AppData\Local\Temp\FsmWysgMwmTWXAZ.exe

C:\Users\Admin\AppData\Local\Temp\FsmWysgMwmTWXAZ.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1728-0-0x0000000000B20000-0x0000000000B38000-memory.dmp

\Users\Admin\AppData\Local\Temp\FsmWysgMwmTWXAZ.exe

MD5 ae6ce17005c63b7e9bf15a2a21abb315
SHA1 9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb
SHA256 4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e
SHA512 c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

memory/1728-15-0x0000000000B20000-0x0000000000B38000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2052-17-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

memory/2052-22-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:01

Reported

2024-06-04 01:03

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QKAxMdItX1CKd47.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe

"C:\Users\Admin\AppData\Local\Temp\a27f261c595fb0040e689a76ccddd1407f7dae0badacedbc8647f1728990b77f.exe"

C:\Users\Admin\AppData\Local\Temp\QKAxMdItX1CKd47.exe

C:\Users\Admin\AppData\Local\Temp\QKAxMdItX1CKd47.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/212-0-0x0000000000250000-0x0000000000268000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QKAxMdItX1CKd47.exe

MD5 ae6ce17005c63b7e9bf15a2a21abb315
SHA1 9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb
SHA256 4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e
SHA512 c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

memory/1580-9-0x0000000000B60000-0x0000000000B78000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/212-11-0x0000000000250000-0x0000000000268000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 7eb334cec13e457bd56dbbb4239ffb7d
SHA1 6ac44ae62b01b536e82b29904096c00853af7557
SHA256 81d15ac4adfafc0079903e5cd6bfe540ece4a6a2ea51d40e937bbe7c5af3ab48
SHA512 ed65a4451cd2b02b3d227bfe14c657151f4c696fa854fa58b50f1b2ae6b197831f967053ab429a8f75900ecdb394b4a739f3d829e092dc9bebac36cea48a5bcf

memory/1580-34-0x0000000000B60000-0x0000000000B78000-memory.dmp