27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc

General

Target

27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
Size

52KB
MD5

24872b80bd26a354684652a48a8eb2fb
SHA1

1d6152af22f1acf018d9dd1160f26f00d3d67a0d
SHA256

27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc
SHA512

914c34edb94c964acafb226e8b81d834bb7d3cbccb04a7ac6a0b19cffba49fd45cda070a951b01defe85be103ff1576874b712e0dbfab06e37f47a4aa005439e
SSDEEP

1536:N5VzcfA/6LrVpL74gfh16nRsWZberSKivV2XIjzqc2:/V2A/gVh74gpgRHbeWvVi

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2984-1-0x0000000000180000-0x0000000000198000-memory.dmp	UPX
behavioral1/memory/2984-14-0x0000000000180000-0x0000000000198000-memory.dmp	UPX
behavioral1/files/0x002a000000015d02-16.dat	UPX
behavioral1/memory/2064-18-0x0000000000300000-0x0000000000318000-memory.dmp	UPX
behavioral1/files/0x000d00000001226b-21.dat	UPX

Executes dropped EXE 2 IoCs

pid	Process
2996	Eyd5VfNBw4ZVgLv.exe
2064	CTS.exe

Loads dropped DLL 3 IoCs

pid	Process
2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
2836	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2984-1-0x0000000000180000-0x0000000000198000-memory.dmp	upx
behavioral1/memory/2984-14-0x0000000000180000-0x0000000000198000-memory.dmp	upx
behavioral1/files/0x002a000000015d02-16.dat	upx
behavioral1/memory/2064-18-0x0000000000300000-0x0000000000318000-memory.dmp	upx
behavioral1/files/0x000d00000001226b-21.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
Token: SeDebugPrivilege	2064	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2996	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	28
PID 2984 wrote to memory of 2996	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	28
PID 2984 wrote to memory of 2996	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	28
PID 2984 wrote to memory of 2996	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	28
PID 2984 wrote to memory of 2064	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	29
PID 2984 wrote to memory of 2064	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	29
PID 2984 wrote to memory of 2064	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	29
PID 2984 wrote to memory of 2064	2984	27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe	29

C:\Users\Admin\AppData\Local\Temp\27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe
"C:\Users\Admin\AppData\Local\Temp\27ec341f4d5e9f5fb96a6f5bd585363cec278a223b124a1d9dddc77419d3b1bc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Eyd5VfNBw4ZVgLv.exe
  C:\Users\Admin\AppData\Local\Temp\Eyd5VfNBw4ZVgLv.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eyd5VfNBw4ZVgLv.exe

Filesize
52KB

MD5
41292232d4e6c2bc0992346291b445a4

SHA1
07ee248ac04c692ccb136ad53792a4a2b4a3853e

SHA256
dfeae81143ccf489891112ad106072177c30b1bec5c25e465cf0216a14c492a3

SHA512
3fe78047c7c10e40cd89744ccb70ed0d94b15fb36e4fbf4c23e0a4fee3424aa6de18e3840fd68f74349a02c77c1702df4d5a9c562cabccff838cad2a88c178ba

Download Submit
C:\Windows\CTS.exe

Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
\Users\Admin\AppData\Local\Temp\Eyd5VfNBw4ZVgLv.exe

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/2064-18-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/2984-1-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/2984-14-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/2996-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads