Analysis
-
max time kernel
133s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
dd6f11369c7851bd5f3553e8d9516214.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
dd6f11369c7851bd5f3553e8d9516214.exe
Resource
win10v2004-20240611-en
General
-
Target
dd6f11369c7851bd5f3553e8d9516214.exe
-
Size
214KB
-
MD5
dd6f11369c7851bd5f3553e8d9516214
-
SHA1
b2d9f99e12ac6d0e1adb70f883a220ae6e28752c
-
SHA256
c897c6077d4a6dece0df7d91eaf9bc6be011c92b5261012ca0fa896600caaa30
-
SHA512
5b0cce7f1ec91d4365e443c53e7ea173b3c1a22850734de68efb9692a484967fe5ce5cb38d15df90eef8ea3119f53ae8b536fed5e32df57fb2caa0ac73004973
-
SSDEEP
3072:ZhpAyazIlyazTIFTZIPrsrVbmTk31LI2cu8vKLiGaiWdPHabe571Y:hZMazU8DsrVbmTC1Ltc1OiGa7dY1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Oby63J9msyz1JTL.exeCTS.exepid process 2484 Oby63J9msyz1JTL.exe 648 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" dd6f11369c7851bd5f3553e8d9516214.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe dd6f11369c7851bd5f3553e8d9516214.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exeCTS.exedescription pid process Token: SeDebugPrivilege 2964 dd6f11369c7851bd5f3553e8d9516214.exe Token: SeDebugPrivilege 648 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
dd6f11369c7851bd5f3553e8d9516214.exedescription pid process target process PID 2964 wrote to memory of 2484 2964 dd6f11369c7851bd5f3553e8d9516214.exe Oby63J9msyz1JTL.exe PID 2964 wrote to memory of 2484 2964 dd6f11369c7851bd5f3553e8d9516214.exe Oby63J9msyz1JTL.exe PID 2964 wrote to memory of 648 2964 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe PID 2964 wrote to memory of 648 2964 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe PID 2964 wrote to memory of 648 2964 dd6f11369c7851bd5f3553e8d9516214.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd6f11369c7851bd5f3553e8d9516214.exe"C:\Users\Admin\AppData\Local\Temp\dd6f11369c7851bd5f3553e8d9516214.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Oby63J9msyz1JTL.exeC:\Users\Admin\AppData\Local\Temp\Oby63J9msyz1JTL.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD58a88adcbad5564148b37f6a47133e9f0
SHA14534031f07b3593e87248a393bfe3815522ab9d6
SHA25673b5861403d350a5daf2d158b11e4e8d35a1764a65814021d0880bd8701f5bde
SHA51295cc560f39e41843a164ca9c15564b79769b67a3a652a051823ea655e79ff675adaddfbba14e920b92237823292c2c4f53032d7f08e2a94a961ec2b9e07ae910
-
C:\Users\Admin\AppData\Local\Temp\Oby63J9msyz1JTL.exeFilesize
143KB
MD538f108cddb6619fba80f8382d5227ece
SHA112fd277bf756f22cfae3043900e4aff8b9f05ed9
SHA2568296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc
SHA5123db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
memory/2484-11-0x00007FFB832B3000-0x00007FFB832B5000-memory.dmpFilesize
8KB
-
memory/2484-13-0x0000000000190000-0x00000000001B8000-memory.dmpFilesize
160KB
-
memory/2484-22-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmpFilesize
10.8MB
-
memory/2484-32-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmpFilesize
10.8MB