Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:20
Behavioral task
behavioral1
Sample
e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe
Resource
win10v2004-20241007-en
General
-
Target
e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe
-
Size
87KB
-
MD5
b9f84667cd97547bc32e99e242e4e587
-
SHA1
52558e7686fbaf1c0b2b8cb7474c076b8e163a3b
-
SHA256
e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535
-
SHA512
e0fa8fbe3daa5c8088a138672473b043bdda5385f7f765ded838fe81ef311567861022a243348006e85221c34981ebde389cd856fe61401a8849f5ddd61342c4
-
SSDEEP
1536:s9Z3KcR4mjD9r8226+v9Z3KcR4mjD9r8226+p3kvmcXxJ:sr3KcWmjRrzSvr3KcWmjRrzSWvmc7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3568 oRyfYv80WIFjOWL.exe 1404 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
resource yara_rule behavioral2/memory/4356-0-0x0000000000A70000-0x0000000000A87000-memory.dmp upx behavioral2/files/0x000a000000023b40-6.dat upx behavioral2/memory/1404-7-0x0000000000DB0000-0x0000000000DC7000-memory.dmp upx behavioral2/memory/4356-9-0x0000000000A70000-0x0000000000A87000-memory.dmp upx behavioral2/files/0x0012000000023968-14.dat upx behavioral2/memory/1404-32-0x0000000000DB0000-0x0000000000DC7000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe Token: SeDebugPrivilege 1404 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4356 wrote to memory of 3568 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe 85 PID 4356 wrote to memory of 3568 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe 85 PID 4356 wrote to memory of 1404 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe 87 PID 4356 wrote to memory of 1404 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe 87 PID 4356 wrote to memory of 1404 4356 e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe"C:\Users\Admin\AppData\Local\Temp\e968b406ff8ca1bafdeab76d0493784b73f4787a819d2441ccd7b413182be535.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\oRyfYv80WIFjOWL.exeC:\Users\Admin\AppData\Local\Temp\oRyfYv80WIFjOWL.exe2⤵
- Executes dropped EXE
PID:3568
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD57583ae276a3ffd5a3f11de985a0bcbb5
SHA159391be476bd2fc979df7fcb71f59b4f68b37a6c
SHA25604e4c366ce0611b7d593c4251f755a7ae4e33bb6f085affa40af31de5f9c47b4
SHA5129b2548d293e857098dc58065e03b90462595fad44d77bf3d6ed512cebbbde6d275ac3f7a8992f5b3fe8402fadf7d17bf63ea1de0564caba145be4f10f29a1f12
-
Filesize
16KB
MD595c9a037d3b01a21275aa6cc73b122a2
SHA1c19ed8afc95b91d0cc6bc075047de30eae015386
SHA2561d5edcbae3258efb07cc57ba8d7cd1ebe2eb5106ef1a894b787ed2857952c523
SHA512761bb76261712a597f610e3162fa1514d2f56d69d03d1b76b51c6b2a7b0c88bbd385b7dc849c6913f7d861fb3aed8551f26f640d90b621e8629abe2e4bfb6160
-
Filesize
71KB
MD522069d1278ebf7d1758e20c4b118c39a
SHA1cfd6c00953bc91dfa91a809e99a230b0ad222eec
SHA256c4875ef691c5e0dbcdc5dd700f610042ec63e251f184150eeb3e7ab1dde3c9ba
SHA5127ffbb4fce2779e7dc7ea19773a843eb174eb9e8dfc136a45ce8606c6c1657887f73409bfc780c391fe38dacc56c8a6ca4f84d3656236d631b42ec2946346b61d