Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
dd6f11369c7851bd5f3553e8d9516214.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
dd6f11369c7851bd5f3553e8d9516214.exe
Resource
win10v2004-20240611-en
General
-
Target
dd6f11369c7851bd5f3553e8d9516214.exe
-
Size
214KB
-
MD5
dd6f11369c7851bd5f3553e8d9516214
-
SHA1
b2d9f99e12ac6d0e1adb70f883a220ae6e28752c
-
SHA256
c897c6077d4a6dece0df7d91eaf9bc6be011c92b5261012ca0fa896600caaa30
-
SHA512
5b0cce7f1ec91d4365e443c53e7ea173b3c1a22850734de68efb9692a484967fe5ce5cb38d15df90eef8ea3119f53ae8b536fed5e32df57fb2caa0ac73004973
-
SSDEEP
3072:ZhpAyazIlyazTIFTZIPrsrVbmTk31LI2cu8vKLiGaiWdPHabe571Y:hZMazU8DsrVbmTC1Ltc1OiGa7dY1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fak9RC7WXL614mZ.exeCTS.exepid process 2784 fak9RC7WXL614mZ.exe 2340 CTS.exe -
Loads dropped DLL 1 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exepid process 1900 dd6f11369c7851bd5f3553e8d9516214.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" dd6f11369c7851bd5f3553e8d9516214.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe dd6f11369c7851bd5f3553e8d9516214.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription pid process Token: SeDebugPrivilege 1900 dd6f11369c7851bd5f3553e8d9516214.exe Token: SeDebugPrivilege 2340 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exedescription pid process target process PID 1900 wrote to memory of 2784 1900 dd6f11369c7851bd5f3553e8d9516214.exe fak9RC7WXL614mZ.exe PID 1900 wrote to memory of 2784 1900 dd6f11369c7851bd5f3553e8d9516214.exe fak9RC7WXL614mZ.exe PID 1900 wrote to memory of 2784 1900 dd6f11369c7851bd5f3553e8d9516214.exe fak9RC7WXL614mZ.exe PID 1900 wrote to memory of 2784 1900 dd6f11369c7851bd5f3553e8d9516214.exe fak9RC7WXL614mZ.exe PID 1900 wrote to memory of 2340 1900 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe PID 1900 wrote to memory of 2340 1900 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe PID 1900 wrote to memory of 2340 1900 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe PID 1900 wrote to memory of 2340 1900 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd6f11369c7851bd5f3553e8d9516214.exe"C:\Users\Admin\AppData\Local\Temp\dd6f11369c7851bd5f3553e8d9516214.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fak9RC7WXL614mZ.exeC:\Users\Admin\AppData\Local\Temp\fak9RC7WXL614mZ.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fak9RC7WXL614mZ.exeFilesize
143KB
MD538f108cddb6619fba80f8382d5227ece
SHA112fd277bf756f22cfae3043900e4aff8b9f05ed9
SHA2568296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc
SHA5123db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
memory/2784-12-0x000007FEF6133000-0x000007FEF6134000-memory.dmpFilesize
4KB
-
memory/2784-14-0x0000000000280000-0x00000000002A8000-memory.dmpFilesize
160KB
-
memory/2784-16-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmpFilesize
9.9MB