Malware Analysis Report

2025-03-15 04:26

Sample ID 241025-zs6hwasjgl
Target 7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N
SHA256 7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54

Threat Level: Shows suspicious behavior

The file 7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 20:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 20:59

Reported

2024-10-25 21:01

Platform

win7-20240729-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe

"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Temp\nYcRniIN7M4qloM.exe

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 20:59

Reported

2024-10-25 21:01

Platform

win10v2004-20241007-en

Max time kernel

100s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe

"C:\Users\Admin\AppData\Local\Temp\7a76ffc52008454a2ec6f185247fd241ee691f5d178aade7c30dc5e11444fc54N.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 5134d99509ee3e7fdea24b133c5fca87
SHA1 860e35e2aa59a439c1fc103542a9c8087913ee36
SHA256 55232313c58d860bb4cd1a2d4acda01ef7cb9e068196c3a28de38dbb7da1f336
SHA512 22f9521fa500b9b7b6d9568d4eb0da9dbd6d488fee457622a258d376255c4ac85fea830dea79ba30085f7000d23e59e3fe15cfb9c90923fb4ee2be05b1ea3efe

C:\Users\Admin\AppData\Local\Temp\iXeoKt7Br62YNAz.exe

MD5 bebbd41f0e75c2f5a9886612ab0d69c6
SHA1 3efade209f569d3ce11486360f03dc067730ff81
SHA256 04e399b29ad6857c0e04ea1f10ad2350e45261e13cd4e9011de58c4d70ef0dbf
SHA512 7e25fe49ae7b77056f75cd20c459fede97a2211468e6258e4b9e8a9dfd3cdac5535a4caa6953ed1a547eb66d1845a2c9351722a055ba489f4ef44d2aef2328a4