Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 18:13
Static task
static1
Behavioral task
behavioral1
Sample
038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe
Resource
win10v2004-20240802-en
General
-
Target
038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe
-
Size
428KB
-
MD5
488109113faa261fcad6852978d861cd
-
SHA1
0fbe869a1f7807df979d312345b26d79216397e7
-
SHA256
038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577
-
SHA512
cf2b5c5228973c588ed2cad9e82ac6f3a614901ab6e7792dd1d945923ef6a5d014075e7e48326a81e115d3ffc4344640db0b3ffb224bad331e589a8feee5174b
-
SSDEEP
6144:GjYKlAhUBVB3pQOEhdjEh6s03EM9TyPAJoeKjFwEuei8i/nW0x/N5UXnyNpmMbvy:GjYRm7QOmdjNhlye6q/W0x/N59bbXM
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1944 CTS.exe 2548 9Hhfl6vXHZXojJw.exe 2112 setup-stub.exe -
Loads dropped DLL 9 IoCs
pid Process 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 2548 9Hhfl6vXHZXojJw.exe 2112 setup-stub.exe 2112 setup-stub.exe 2112 setup-stub.exe 2112 setup-stub.exe 2112 setup-stub.exe 2112 setup-stub.exe 2112 setup-stub.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000c000000012266-13.dat upx behavioral1/memory/2548-14-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2548-115-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\nsjD167.tmp\ setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsjD165.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsjD166.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsjD165.tmp\ setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsjD167.tmp setup-stub.exe File opened for modification C:\Program Files\Mozilla Firefox\nsjD168.tmp setup-stub.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe File created C:\Windows\CTS.exe CTS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9Hhfl6vXHZXojJw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup-stub.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main setup-stub.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde setup-stub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 setup-stub.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 setup-stub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 setup-stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe Token: SeDebugPrivilege 1944 CTS.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2112 setup-stub.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2112 setup-stub.exe 2112 setup-stub.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2548 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 31 PID 2556 wrote to memory of 2548 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 31 PID 2556 wrote to memory of 2548 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 31 PID 2556 wrote to memory of 2548 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 31 PID 2556 wrote to memory of 1944 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 32 PID 2556 wrote to memory of 1944 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 32 PID 2556 wrote to memory of 1944 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 32 PID 2556 wrote to memory of 1944 2556 038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe 32 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33 PID 2548 wrote to memory of 2112 2548 9Hhfl6vXHZXojJw.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe"C:\Users\Admin\AppData\Local\Temp\038b53fd1910eb848172c12c50d17bc052330e8cfa8f910e1e7a309c8956c577.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\9Hhfl6vXHZXojJw.exeC:\Users\Admin\AppData\Local\Temp\9Hhfl6vXHZXojJw.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\7zS4F9A1EC6\setup-stub.exe.\setup-stub.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD563aa3f6d8c2089b250b43df51b61ff96
SHA10c96c07ee255b7bc0c2c1b84ad668fc85ca6e8cd
SHA2568d0e6a04a748452823319990a2917abd39ca9af478f0a834242492a3fee4299f
SHA512b2d5888d0550f882c95448a7ebea583d6c5695b3fb37fbddeb49fc56253c63b148c1b1e18038b38d67f1fad24b013a7e2b22e4699c4ba628610baf4730bdb06f
-
Filesize
1KB
MD532de55f44c497811dd7ed7f227f5c28d
SHA1c111be08e7f3d268e7a2ed160d0c30833f25ae4a
SHA2566259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1
SHA51248bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef
-
Filesize
2KB
MD5dfa7861bca754036ab853b3bb02b194d
SHA146d7c5ba614b39caa4857fcba4bdedbabb2c67c0
SHA2562c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878
SHA512c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64
-
Filesize
817B
MD558b8ac894c64370cfa137f5848aeb88d
SHA16a1ac1f88a918a232b79fe798b2de69cf433945f
SHA2560e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd
SHA512ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab
-
Filesize
86KB
MD50f736d30fbdaebed364c4cd9f084e500
SHA1d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566
-
Filesize
551KB
MD55e056e6cda3970d7683ca9fc79a463ff
SHA17feee6d8c3f28b818ba58d9c2c97521e128d15b6
SHA25645fabe4b7336d0356b02a765fbc590b3f1b3b2ae15d4562fba00a766b4e483c1
SHA51278fa522ca94e643233b4adb7296a4bb1a1af8b486ba024f5ed8d7c5780a0285be69e418b9f7a303579a6e62e3dbd9a597b81b56539314fd64431320cb71d772a
-
Filesize
53KB
MD52021acc65fa998daa98131e20c4605be
SHA12e8407cfe3b1a9d839ea391cfc423e8df8d8a390
SHA256c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14
SHA512cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948
-
Filesize
17KB
MD597c607f5d0add72295f8d0f27b448037
SHA1dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c
SHA256dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5
SHA512ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268
-
Filesize
22KB
MD5b361682fa5e6a1906e754cfa08aa8d90
SHA1c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA5122778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9
-
Filesize
28KB
MD5d23b256e9c12fe37d984bae5017c5f8c
SHA1fd698b58a563816b2260bbc50d7f864b33523121
SHA256ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c
SHA51213f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e
-
Filesize
14KB
MD5610ad03dec634768cd91c7ed79672d67
SHA1dc8099d476e2b324c09db95059ec5fd3febe1e1e
SHA256c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df
SHA51218c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd
-
Filesize
103KB
MD5b53cd4ad8562a11f3f7c7890a09df27a
SHA1db66b94670d47c7ee436c2a5481110ed4f013a48
SHA256281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec
SHA512bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81