Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:07

General

  • Target

    4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe

  • Size

    899KB

  • MD5

    054f61a32bdc6c4e74da19e22ef7f130

  • SHA1

    df2c48ed2f6af92f7f621dbf51829441545c0ea4

  • SHA256

    4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326

  • SHA512

    76996ab47b18d4e5a2c6820af190a737e5f7a7baee9533a2535a32f8bb6047cd8621fedd947767f10ba04ef8a27416b92f2a13b0295fdb7c6a1b3ccfa304e3a7

  • SSDEEP

    24576:G0jJ5gLpwkRKMsj4SR3C6Z4b2s9/lIbzNICPHMHr:G0j0LL87x3CE4Ks9daDPHe

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\058Nzl6HHhHFOQj.exe

          Filesize

          899KB

          MD5

          41ac41fb16de9ab162ba01bb296a90e7

          SHA1

          b8595b6f4da1db5eeecb0c049308c0f4927a6ec7

          SHA256

          6d00afb77cba2df26321b4ac0dd7df5e3352f14694f6175be49f940765c3d3d7

          SHA512

          b6d14aeacb14133bd22bc92064b7ae91f0780e46f11055e8d61a606d682956f8555b567c29a75731085886ac19fdf873290c7215573be46b2825bb1ad2b905b2

        • C:\Windows\CTS.exe

          Filesize

          86KB

          MD5

          0f736d30fbdaebed364c4cd9f084e500

          SHA1

          d7e96b736463af4b3edacd5cc5525cb70c593334

          SHA256

          431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34

          SHA512

          570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566