Malware Analysis Report

2025-03-15 04:27

Sample ID 241025-1bejhaspey
Target 4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f
SHA256 4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f

Threat Level: Shows suspicious behavior

The file 4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:28

Reported

2024-10-25 21:30

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe

"C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Temp\KmvXlL74jk2gZDp.exe

MD5 7548cc38715ea84193ce6905de4d2e13
SHA1 9d0242ee3e97f481134c9a39ab652b5625b41259
SHA256 d762abbb96f87469808376993fc1163089bcb9dc7c3a2abd40889cfd093a560d
SHA512 1549d6812e337ed4f266c73d07424d92bb2704d0efff61dd1d2029a9e532c75bdaa9ecfeb6051f38e5f792a399e9b785c63d9cddbed8effa928a7d57a30768ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:28

Reported

2024-10-25 21:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe

"C:\Users\Admin\AppData\Local\Temp\4b565c155e0f9ca1d78d468b77fcc2aaae6121c701405cb90ad3336dc3409f2f.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 2815405a95070b2a792572d3470b8ff5
SHA1 89b125232a6e516edf80c770148f704907d20e81
SHA256 0219e2ed0a83c326fa65190d1d1a9a08c453555fd9ffdb89d4ed92e1ad0eaa76
SHA512 53f668f2774dff225a13c53ff651691696ae871df4155516f5e0abde6c1bc1a5427934ecc365cce8f0093f0bc5d507a7cec9e28daa77e0229eace1a2e1e817ef

C:\Users\Admin\AppData\Local\Temp\lCpPmRLSnzy0w1h.exe

MD5 76595cee66699aaf3ba16728c85cd4db
SHA1 2c29f52271367c16b3b8c0abe5bca5c9267d953c
SHA256 f9667fe188ded8fdaa8ad943c09db58ec28962672df1129fc2b66d972299e89d
SHA512 6d22f0ffa55bd1d4b524d719d73fae3bfd653fdb1b37388d6e3d8ce2e22d4f65c07072bde0806d4c0001b7f2f516b25a01d66735de06ae2e6b747609271fbd3a