Malware Analysis Report

2025-08-05 23:18

Sample ID 250115-11rkcsyjfn
Target 4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe
SHA256 4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326

Threat Level: Shows suspicious behavior

The file 4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:09

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe

"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 c6c3342d8abbd11d14204f7d14028537
SHA1 d8c95355598e98a1ff235ec59d4ceefab7fc13c8
SHA256 0830df684f861bfd84e05cb924c8cbfdee07cd2bad99f61268b940d044a44dad
SHA512 97b921f112c9ac56b2062f6b46b9a6cac8882df81e7d86a301fe6463ef5383fd5728e3159c879c3fa5344c1923ead8f0f245767e40ed683d1197e62855fd1bcb

C:\Users\Admin\AppData\Local\Temp\maavD4Rvfrw8Fwa.exe

MD5 8529a40b2347d8405b4c024885cd10f3
SHA1 c5aeaae984bcfe369831588eb96b06b00f42e8e3
SHA256 b61451c335fc2e0bbdfbcdb1579c51bbea3dd36ae496da13020bf50fd2ec9ec9
SHA512 02d7418eb3dfe527ebe1c0b98e14feb703bd503bd869724da031b38dbe14302ef4e2d650d03225e7f221f589d075b7a3437060a592b0f675883d39e8f863b59c

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:09

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe

"C:\Users\Admin\AppData\Local\Temp\4b3a49bb78745161a8e6a97e7ad6d4d3b5197a6adf9ed2696ef0b6774657a326N.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 0f736d30fbdaebed364c4cd9f084e500
SHA1 d7e96b736463af4b3edacd5cc5525cb70c593334
SHA256 431b7f30b7f8d520f69066b03b8dccbb35a6cb40a53c5e2320c6b5acf96b2e34
SHA512 570a2f76d653414fedc12ed486f2bf0333dc860f52d70faa895d6b9951ac185317637d7b076e05c932f4c536259e19a952a716e9516d506d2a19de73c50f2566

C:\Users\Admin\AppData\Local\Temp\058Nzl6HHhHFOQj.exe

MD5 41ac41fb16de9ab162ba01bb296a90e7
SHA1 b8595b6f4da1db5eeecb0c049308c0f4927a6ec7
SHA256 6d00afb77cba2df26321b4ac0dd7df5e3352f14694f6175be49f940765c3d3d7
SHA512 b6d14aeacb14133bd22bc92064b7ae91f0780e46f11055e8d61a606d682956f8555b567c29a75731085886ac19fdf873290c7215573be46b2825bb1ad2b905b2