b50e602730106f016362788eb74221c3d6feaeef2d84949e39aba621ed1ed1e4

General

Target

36602e0bb93ee1ffe80939cf4d06eae0N.exe
Size

91KB
MD5

36602e0bb93ee1ffe80939cf4d06eae0
SHA1

f9fa6dbde43b49f0a3207c855b9233dca7919cce
SHA256

b50e602730106f016362788eb74221c3d6feaeef2d84949e39aba621ed1ed1e4
SHA512

2483d2c29b81d15ac78f38c590a9135520032e1483065ed3fb3c3e659b9de8cf4f36e18f98d9c65906d458ba9323a1c42a0d2c807f7ae15881253f32bc790cf4
SSDEEP

1536:N5VzcfA/6LrVpL74gfh16nd6S2X9Ca5L4iCsLemHFWF3TPquKjTgTJV65QGExj4J:/V2A/gVh74gpgMPCa5lRemlWVP3ogJof

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4712	2sQM1Ja3oqMz1Pt.exe
4184	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3468-0-0x0000000000DA0000-0x0000000000DB8000-memory.dmp	upx
behavioral2/files/0x000800000002355f-8.dat	upx
behavioral2/memory/4184-11-0x0000000000780000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/3468-10-0x0000000000DA0000-0x0000000000DB8000-memory.dmp	upx
behavioral2/files/0x00070000000232f9-14.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	36602e0bb93ee1ffe80939cf4d06eae0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	36602e0bb93ee1ffe80939cf4d06eae0N.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe
Token: SeDebugPrivilege	4184	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4712	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	89
PID 3468 wrote to memory of 4712	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	89
PID 3468 wrote to memory of 4712	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	89
PID 3468 wrote to memory of 4184	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	91
PID 3468 wrote to memory of 4184	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	91
PID 3468 wrote to memory of 4184	3468	36602e0bb93ee1ffe80939cf4d06eae0N.exe	91

C:\Users\Admin\AppData\Local\Temp\36602e0bb93ee1ffe80939cf4d06eae0N.exe
"C:\Users\Admin\AppData\Local\Temp\36602e0bb93ee1ffe80939cf4d06eae0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\2sQM1Ja3oqMz1Pt.exe
  C:\Users\Admin\AppData\Local\Temp\2sQM1Ja3oqMz1Pt.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,8550138573348074061,7308779696487990535,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
348KB

MD5
69c8bfb22554e4359dfaa3afcb26c15e

SHA1
1cb85e81c87e3d245dc54d10440d358236741e83

SHA256
42285633d8af57f27b3433bc18e3e24c0fdb54d788293d3d7ac2b462e22ac0af

SHA512
715aae71ea0d25bf90310b919eb284f305c70f3d94c180669d9972783262f424016e1fe84eeff9a92eaebceb4806ef3bdfb92d6fb8b75f5d4fe079ea11152ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sQM1Ja3oqMz1Pt.exe

Filesize
64KB

MD5
ae6ce17005c63b7e9bf15a2a21abb315

SHA1
9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

SHA256
4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

SHA512
c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

Download Submit
C:\Windows\CTS.exe

Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/3468-0-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

Filesize
96KB

Download
memory/3468-10-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

Filesize
96KB

Download
memory/4184-11-0x0000000000780000-0x0000000000798000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads