f7c675eff00556242cfff8bc446fe407211a689d487252490c005567d1fde390

General

Target

91ab8f3f8f9d99ad59f99299e1cf858e.exe
Size

7.3MB
MD5

91ab8f3f8f9d99ad59f99299e1cf858e
SHA1

bd33293c34ec4d98a746268053213a37d483ec47
SHA256

f7c675eff00556242cfff8bc446fe407211a689d487252490c005567d1fde390
SHA512

ee4ce887180b7aa9186fc8359c8e6cd7ca490cdab401f16b72f9e1c1664a21536c95a0c59658c36bd674fddc20e0ca96f1e277f54118d7a4fae31fe4c855a82d
SSDEEP

196608:zvFsitNvy4TuJfkPd1+RL+MEp1sjw/2Qw:TF1KW5PTKLw1sjwDw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2088	vZWDssqDTkYELxA.exe
5052	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	91ab8f3f8f9d99ad59f99299e1cf858e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	91ab8f3f8f9d99ad59f99299e1cf858e.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe
Token: SeDebugPrivilege	5052	CTS.exe
Token: SeDebugPrivilege	2088	vZWDssqDTkYELxA.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2088	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe	80
PID 2544 wrote to memory of 2088	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe	80
PID 2544 wrote to memory of 5052	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe	81
PID 2544 wrote to memory of 5052	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe	81
PID 2544 wrote to memory of 5052	2544	91ab8f3f8f9d99ad59f99299e1cf858e.exe	81

C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe
"C:\Users\Admin\AppData\Local\Temp\91ab8f3f8f9d99ad59f99299e1cf858e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\vZWDssqDTkYELxA.exe
  C:\Users\Admin\AppData\Local\Temp\vZWDssqDTkYELxA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
392KB

MD5
ea479db51eba81d3044ac5bf66fa1341

SHA1
b304a055b28c2a9e1ded2490dd0194da9bb14adf

SHA256
0e93121ac8eb48fb0f97a68e09b8202d60a2280367fc6e65fa4a129197f90705

SHA512
cdec1badca122e822ee375ed91677377ac1392c79d5a80dde9ccbfe8b711cd7191a7a864f7ba3fc2f3d22d05f66e116b33abb95ceb90ec5f5e21159ea15ac4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.2088.update

Filesize
9KB

MD5
14ffcf07375b3952bd3f2fe52bb63c14

SHA1
ab2eadde4c614eb8f1f2cae09d989c5746796166

SHA256
6ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed

SHA512
14a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
4KB

MD5
830fc666987cbe06a8644c378f310e55

SHA1
a2b8bfbbf8670b0d7f5a7b534226a5285f51d149

SHA256
796d589f7da4e1b69063a1accb42ec1681ebdaa62dfcd064711df200b89106cb

SHA512
447aba5f0973d848ec2e112cf022f696043bfe1d2a74afa77b9b194e46d2de95e20ce30a28d67163105b0fdad24dc00e84f7d69daa64cd808e8486be00c51ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
2KB

MD5
bf71a4e51c98152b53c48af05a55ecac

SHA1
fd387be8be8eac910c38c7b19ddbdcb85ef7b44f

SHA256
4758345bddbfa79fe7aa5e3439dc8302b5c157b08945dc06e182771315c41138

SHA512
461564d9cf27f3542ae1324f3d88dd12552d30b34b032b31ab1a9e28d5a4189111389b6afd0bdae2572ab523920f9ef56ab3c8861e3f370cd966fbdb001a438d

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cuninst.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vZWDssqDTkYELxA.exe

Filesize
7.3MB

MD5
dd6b75a77601d62ac66df1b0a51a7de3

SHA1
699fc35deccb0cd6e341420903fc993535c2c98f

SHA256
2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

SHA512
43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/2088-25-0x0000000000810000-0x0000000000F56000-memory.dmp

Filesize
7.3MB

Download
memory/2088-62-0x000000001DD60000-0x000000001DDD6000-memory.dmp

Filesize
472KB

Download
memory/2088-63-0x00000000032D0000-0x00000000032EE000-memory.dmp

Filesize
120KB

Download
memory/2088-61-0x000000001BC10000-0x000000001BC60000-memory.dmp

Filesize
320KB

Download
memory/2088-34-0x00000000030F0000-0x0000000003110000-memory.dmp

Filesize
128KB

Download
memory/2088-26-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-23-0x00007FF9D55F3000-0x00007FF9D55F5000-memory.dmp

Filesize
8KB

Download
memory/2088-168-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads