Analysis Overview
SHA256
4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326
Threat Level: Shows suspicious behavior
The file 4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:07
Reported
2025-01-15 22:09
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
| PID 2036 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
| PID 2036 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe
"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | c6c3342d8abbd11d14204f7d14028537 |
| SHA1 | d8c95355598e98a1ff235ec59d4ceefab7fc13c8 |
| SHA256 | 0830df684f861bfd84e05cb924c8cbfdee07cd2bad99f61268b940d044a44dad |
| SHA512 | 97b921f112c9ac56b2062f6b46b9a6cac8882df81e7d86a301fe6463ef5383fd5728e3159c879c3fa5344c1923ead8f0f245767e40ed683d1197e62855fd1bcb |
C:\Users\Admin\AppData\Local\Temp\maavD4Rvfrw8Fwa.exe
| MD5 | 8529a40b2347d8405b4c024885cd10f3 |
| SHA1 | c5aeaae984bcfe369831588eb96b06b00f42e8e3 |
| SHA256 | b61451c335fc2e0bbdfbcdb1579c51bbea3dd36ae496da13020bf50fd2ec9ec9 |
| SHA512 | 02d7418eb3dfe527ebe1c0b98e14feb703bd503bd869724da031b38dbe14302ef4e2d650d03225e7f221f589d075b7a3437060a592b0f675883d39e8f863b59c |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:07
Reported
2025-01-15 22:09
Platform
win7-20240903-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
| PID 2260 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe
"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | 0f736d30fbdaebed364c4cd9f084e500 |
| SHA1 | d7e96b736463af4b3edacd5cc5525cb70c593334 |
| SHA256 | 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34 |
| SHA512 | 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566 |
C:\Users\Admin\AppData\Local\Temp\058Nzl6HHhHFOQj.exe
| MD5 | 41ac41fb16de9ab162ba01bb296a90e7 |
| SHA1 | b8595b6f4da1db5eeecb0c049308c0f4927a6ec7 |
| SHA256 | 6d00afb77cba2df26321b4ac0dd7df5e3352f14694f6175be49f940765c3d3d7 |
| SHA512 | b6d14aeacb14133bd22bc92064b7ae91f0780e46f11055e8d61a606d682956f8555b567c29a75731085886ac19fdf873290c7215573be46b2825bb1ad2b905b2 |