2b644bf4592d28e9d84e5161c2c65e40ee7972efdb0eb5160c8e85dad679fb3f

General

Target

0cb8c1388c05c8b1a13b93d3aef36770N.exe
Size

2.3MB
MD5

0cb8c1388c05c8b1a13b93d3aef36770
SHA1

fea8fe4d7dc778365c7222de3b5bee4fc7409c6f
SHA256

2b644bf4592d28e9d84e5161c2c65e40ee7972efdb0eb5160c8e85dad679fb3f
SHA512

eb9af867ec5461d8fb9538fc9892309e74e0b34e28d8092edb3111dacae4a58e1ff5a62d0f3417d4a2bff4c21bd2e47024cd8614480168b645d06308cee13283
SSDEEP

49152:G0j4AlwpQK0opkBEA7HdtcbAlKgXu80P5v3PFLUlKUf9ndr4WFoq4Y+6dz:gQ0C/TdtcNgXUR32lOWa58

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2304	uIFmvNehTJIre9l.exe
1960	CTS.exe
1084	uIFmvNehTJIre9l.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0cb8c1388c05c8b1a13b93d3aef36770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	0cb8c1388c05c8b1a13b93d3aef36770N.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cb8c1388c05c8b1a13b93d3aef36770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uIFmvNehTJIre9l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uIFmvNehTJIre9l.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe
Token: SeDebugPrivilege	1960	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1084	uIFmvNehTJIre9l.exe
1084	uIFmvNehTJIre9l.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2304	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	83
PID 2472 wrote to memory of 2304	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	83
PID 2472 wrote to memory of 2304	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	83
PID 2472 wrote to memory of 1960	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	84
PID 2472 wrote to memory of 1960	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	84
PID 2472 wrote to memory of 1960	2472	0cb8c1388c05c8b1a13b93d3aef36770N.exe	84
PID 2304 wrote to memory of 1084	2304	uIFmvNehTJIre9l.exe	85
PID 2304 wrote to memory of 1084	2304	uIFmvNehTJIre9l.exe	85
PID 2304 wrote to memory of 1084	2304	uIFmvNehTJIre9l.exe	85

C:\Users\Admin\AppData\Local\Temp\0cb8c1388c05c8b1a13b93d3aef36770N.exe
"C:\Users\Admin\AppData\Local\Temp\0cb8c1388c05c8b1a13b93d3aef36770N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\uIFmvNehTJIre9l.exe
  C:\Users\Admin\AppData\Local\Temp\uIFmvNehTJIre9l.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\jds240615281.tmp\uIFmvNehTJIre9l.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240615281.tmp\uIFmvNehTJIre9l.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1084
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
408KB

MD5
a7d4f8ca3ccd86f06f880d2f6a90def0

SHA1
e225bde155edba7a821c8f8a396362c728108556

SHA256
61305ca1bb0dc9dbc427268027c7296115196809578165499a0595457e981b11

SHA512
ff2c68aa82702a47222c96461149165551d918e488417bfae3b300c38ee487956cb23ffb280401a244b289d6873128c61a5e246b8dc0326bb0f71dbea0757b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240615281.tmp\uIFmvNehTJIre9l.exe

Filesize
1.9MB

MD5
a05dbfbe3a88017f1ec5b2abf96ed0ad

SHA1
7ee98080fe870e6be5828ab4d82982367532ddb3

SHA256
8b73184c395fac04d2dcb40244430a9b9d4e3094a06d8a4d129435e00f147171

SHA512
5a600c2984c761b34e1aacaa73c8e6848bdc488a9582c8f30076f883644a93455fc9f57a9bb142ae8607df2e2ef02522e797712ab35a957238865820a115457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
e0daec17bd14b61f7535deaf30f5d659

SHA1
8497e748858a8545bf8c397a001d84dfef8f2bc6

SHA256
38280595d76c47cc7fbb8f50ecb8f3ffd293b9748c4aa6971d7b3f48f4613774

SHA512
42e6beb41b0af9a210e01c9a1f2c8560f5f13e319aab7c59456e255fb1ee9cb46d918e9bb8459353064d4fb4118d19915aede606d794b77510f0ecd1e2c60c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
89070608e9d4c1e2fa8961d4a055d1cd

SHA1
6f73c4508fc6e1fcd224a583bdc85049d04845d1

SHA256
d31a4cadfec5994aa44ab394331526b18a443f4f490806af6ae25af0882685bc

SHA512
6de887338b20fa7b7da143de9119a9fe6ad5a83a86b45dd36c0f678957a9ad26150f4e8d2687a50bc6776effaea050113af3f068417cb6f5e7a19bf96a0b9a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIFmvNehTJIre9l.exe

Filesize
2.2MB

MD5
d6d7f90978a6aa6a4bb1eaa53154881d

SHA1
9a2e8a8464bf5b28229faea669f2ae6d6a0973d2

SHA256
5cb03fddbe1e55a14282171eb4768a8cffa1d12a7123a63caba364c8f5495a54

SHA512
ff8190d9fdc1cee5838c31808bf347af089624c9fe971c10fe8cecfd39a6cafde13dfc82694184e854e9e734d66ae1f0a961fcef4afd8b2740eb2c6afbf51e06

Download Submit
C:\Windows\CTS.exe

Filesize
86KB

MD5
0f736d30fbdaebed364c4cd9f084e500

SHA1
d7e96b736463af4b3edacd5cc5525cb70c593334

SHA256
431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34

SHA512
570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads