Analysis Overview
SHA256
397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f
Threat Level: Shows suspicious behavior
The file 397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:20
Reported
2024-11-09 21:22
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1868 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
| PID 1868 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
| PID 1868 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
| PID 1868 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe
"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Temp\2SYkAB88y2NThTI.exe
| MD5 | f30c2111eada81ba97f56b9354d67d0b |
| SHA1 | bfd6398a18dde3f73fc15d8cb47b635b5c1040e1 |
| SHA256 | 7c50503755ba30b7e4679437866e2d4fc18f54f1a814f6ea85289bf8c55adf00 |
| SHA512 | c466241ebaf003df1cbbf7fdc8b47135a0851c0d0caa7cced384c4dc11e162da72677ecd91e7a9d3ab99c80adc0697d9b0117fec552794f6530d2982780c5586 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:20
Reported
2024-11-09 21:22
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4068 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
| PID 4068 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
| PID 4068 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe
"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | fb8c2d7abf85104c12e482800a6b827d |
| SHA1 | 5679e6b0175b215ca7fe80b6577c8ccf5fdf8739 |
| SHA256 | 324fd5ab8d0bbca313a0f5860475817bc4f9c9bb38647fd535ff42b6c8447164 |
| SHA512 | b933726c30643484b89565c270ca42a89f2f19a00378f129f0b02f52ae09cdcbca5c93b8e7b326f6dc327cfeb1981e39d21f5b41a4d96ac4e30d5d7392508b01 |
C:\Users\Admin\AppData\Local\Temp\3pvi8BiCRjqqu5r.exe
| MD5 | 19dfc86da778946ab35648f69416a74e |
| SHA1 | ccf078409160dcb384d45c0a3acbe9e90b02b2a4 |
| SHA256 | a515c73a74e140954176124f4746e00f321f8eeb106b577ff443a911acc60aa7 |
| SHA512 | 2f32f15bbaaeb4a1a01c2ba26dd7dbd6a912bbb398fe50c8f0a4f7665678e94ac0e3be61838d1d89ef8712fcc30e3e778683282ccfc5a8fccae151c5b3cfdc71 |