Malware Analysis Report

2025-05-06 00:24

Sample ID 241109-z6s5ps1qdz
Target 397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f
SHA256 397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f

Threat Level: Shows suspicious behavior

The file 397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:20

Reported

2024-11-09 21:22

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe

"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Temp\2SYkAB88y2NThTI.exe

MD5 f30c2111eada81ba97f56b9354d67d0b
SHA1 bfd6398a18dde3f73fc15d8cb47b635b5c1040e1
SHA256 7c50503755ba30b7e4679437866e2d4fc18f54f1a814f6ea85289bf8c55adf00
SHA512 c466241ebaf003df1cbbf7fdc8b47135a0851c0d0caa7cced384c4dc11e162da72677ecd91e7a9d3ab99c80adc0697d9b0117fec552794f6530d2982780c5586

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:20

Reported

2024-11-09 21:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe

"C:\Users\Admin\AppData\Local\Temp\397e3dff9eee81b1d7ed2cccb04351afd61f2c7e50d5d987589b8d1a26e3599f.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 fb8c2d7abf85104c12e482800a6b827d
SHA1 5679e6b0175b215ca7fe80b6577c8ccf5fdf8739
SHA256 324fd5ab8d0bbca313a0f5860475817bc4f9c9bb38647fd535ff42b6c8447164
SHA512 b933726c30643484b89565c270ca42a89f2f19a00378f129f0b02f52ae09cdcbca5c93b8e7b326f6dc327cfeb1981e39d21f5b41a4d96ac4e30d5d7392508b01

C:\Users\Admin\AppData\Local\Temp\3pvi8BiCRjqqu5r.exe

MD5 19dfc86da778946ab35648f69416a74e
SHA1 ccf078409160dcb384d45c0a3acbe9e90b02b2a4
SHA256 a515c73a74e140954176124f4746e00f321f8eeb106b577ff443a911acc60aa7
SHA512 2f32f15bbaaeb4a1a01c2ba26dd7dbd6a912bbb398fe50c8f0a4f7665678e94ac0e3be61838d1d89ef8712fcc30e3e778683282ccfc5a8fccae151c5b3cfdc71