Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:07

General

  • Target

    4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe

  • Size

    899KB

  • MD5

    054f61a32bdc6c4e74da19e22ef7f130

  • SHA1

    df2c48ed2f6af92f7f621dbf51829441545c0ea4

  • SHA256

    4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326

  • SHA512

    76996ab47b18d4e5a2c6820af190a737e5f7a7baee9533a2535a32f8bb6047cd8621fedd947767f10ba04ef8a27416b92f2a13b0295fdb7c6a1b3ccfa304e3a7

  • SSDEEP

    24576:G0jJ5gLpwkRKMsj4SR3C6Z4b2s9/lIbzNICPHMHr:G0j0LL87x3CE4Ks9daDPHe

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2128

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

          Filesize

          410KB

          MD5

          c6c3342d8abbd11d14204f7d14028537

          SHA1

          d8c95355598e98a1ff235ec59d4ceefab7fc13c8

          SHA256

          0830df684f861bfd84e05cb924c8cbfdee07cd2bad99f61268b940d044a44dad

          SHA512

          97b921f112c9ac56b2062f6b46b9a6cac8882df81e7d86a301fe6463ef5383fd5728e3159c879c3fa5344c1923ead8f0f245767e40ed683d1197e62855fd1bcb

        • C:\Users\Admin\AppData\Local\Temp\maavD4Rvfrw8Fwa.exe

          Filesize

          899KB

          MD5

          8529a40b2347d8405b4c024885cd10f3

          SHA1

          c5aeaae984bcfe369831588eb96b06b00f42e8e3

          SHA256

          b61451c335fc2e0bbdfbcdb1579c51bbea3dd36ae496da13020bf50fd2ec9ec9

          SHA512

          02d7418eb3dfe527ebe1c0b98e14feb703bd503bd869724da031b38dbe14302ef4e2d650d03225e7f221f589d075b7a3437060a592b0f675883d39e8f863b59c

        • C:\Windows\CTS.exe

          Filesize

          86KB

          MD5

          0f736d30fbdaebed364c4cd9f084e500

          SHA1

          d7e96b736463af4b3edacd5cc5525cb70c593334

          SHA256

          431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34

          SHA512

          570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566