f7c675eff00556242cfff8bc446fe407211a689d487252490c005567d1fde390

General

Target

91ab8f3f8f9d99ad59f99299e1cf858e.exe
Size

7.3MB
MD5

91ab8f3f8f9d99ad59f99299e1cf858e
SHA1

bd33293c34ec4d98a746268053213a37d483ec47
SHA256

f7c675eff00556242cfff8bc446fe407211a689d487252490c005567d1fde390
SHA512

ee4ce887180b7aa9186fc8359c8e6cd7ca490cdab401f16b72f9e1c1664a21536c95a0c59658c36bd674fddc20e0ca96f1e277f54118d7a4fae31fe4c855a82d
SSDEEP

196608:zvFsitNvy4TuJfkPd1+RL+MEp1sjw/2Qw:TF1KW5PTKLw1sjwDw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2488	B7wnIR4tiF5evtB.exe
640	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe
3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	91ab8f3f8f9d99ad59f99299e1cf858e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	91ab8f3f8f9d99ad59f99299e1cf858e.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe
Token: SeDebugPrivilege	640	CTS.exe
Token: SeDebugPrivilege	2488	B7wnIR4tiF5evtB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2488	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	28
PID 3016 wrote to memory of 2488	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	28
PID 3016 wrote to memory of 2488	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	28
PID 3016 wrote to memory of 2488	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	28
PID 3016 wrote to memory of 640	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	29
PID 3016 wrote to memory of 640	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	29
PID 3016 wrote to memory of 640	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	29
PID 3016 wrote to memory of 640	3016	91ab8f3f8f9d99ad59f99299e1cf858e.exe	29

C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe
"C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\B7wnIR4tiF5evtB.exe
  C:\Users\Admin\AppData\Local\Temp\B7wnIR4tiF5evtB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
4KB

MD5
b0933812adef57292b419d2b5254a7d5

SHA1
39a8a0a36e56228db0b9b308b83823be84a432ee

SHA256
f3905990329465db7cbdb1a389592deff7eeaa8af3c4da1728095fc0c3c3e9bf

SHA512
0bb22ada0a1be3f8682cf4161a33eabdc54c785261e560ee53625d5d4d36af273c414150983a8023f0e929ed9369993a59a04e75eddc19d0ebf2257c45bd1764

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
\Users\Admin\AppData\Local\Temp\B7wnIR4tiF5evtB.exe

Filesize
7.3MB

MD5
dd6b75a77601d62ac66df1b0a51a7de3

SHA1
699fc35deccb0cd6e341420903fc993535c2c98f

SHA256
2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

SHA512
43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

Download Submit
memory/2488-17-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/2488-18-0x0000000001110000-0x0000000001856000-memory.dmp

Filesize
7.3MB

Download
memory/2488-19-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-27-0x000000001C370000-0x000000001C652000-memory.dmp

Filesize
2.9MB

Download
memory/2488-153-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads