Analysis Overview
SHA256
7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54
Threat Level: Shows suspicious behavior
The file 7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 20:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 20:59
Reported
2024-10-25 21:01
Platform
win7-20240729-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
| PID 2084 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
| PID 2084 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
| PID 2084 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe
"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Temp\nYcRniIN7M4qloM.exe
| MD5 | 085ebd119f5fc6b8f63720fac1166ff5 |
| SHA1 | af066018aadec31b8e70a124a158736aca897306 |
| SHA256 | b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687 |
| SHA512 | adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 20:59
Reported
2024-10-25 21:01
Platform
win10v2004-20241007-en
Max time kernel
100s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4980 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
| PID 4980 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
| PID 4980 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe
"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 5134d99509ee3e7fdea24b133c5fca87 |
| SHA1 | 860e35e2aa59a439c1fc103542a9c8087913ee36 |
| SHA256 | 55232313c58d860bb4cd1a2d4acda01ef7cb9e068196c3a28de38dbb7da1f336 |
| SHA512 | 22f9521fa500b9b7b6d9568d4eb0da9dbd6d488fee457622a258d376255c4ac85fea830dea79ba30085f7000d23e59e3fe15cfb9c90923fb4ee2be05b1ea3efe |
C:\Users\Admin\AppData\Local\Temp\iXeoKt7Br62YNAz.exe
| MD5 | bebbd41f0e75c2f5a9886612ab0d69c6 |
| SHA1 | 3efade209f569d3ce11486360f03dc067730ff81 |
| SHA256 | 04e399b29ad6857c0e04ea1f10ad2350e45261e13cd4e9011de58c4d70ef0dbf |
| SHA512 | 7e25fe49ae7b77056f75cd20c459fede97a2211468e6258e4b9e8a9dfd3cdac5535a4caa6953ed1a547eb66d1845a2c9351722a055ba489f4ef44d2aef2328a4 |