e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839

General

Target

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Size

3.0MB
MD5

298d9f4141bbf96a65181018e438c0d2
SHA1

3589a1c0fe75043adddc6f6b914fa5dc5d118957
SHA256

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839
SHA512

141317d11fade4685435dc6beabcf3675fc583bea082d5b01283b965e0e39d132da6c6c235b7a0652d2c09a4a0df684040a9491eb72db9a02f62b4c930fcf203
SSDEEP

49152:KakLXT1thrZAm2ypwiGJoZebkxlbFHuGlXcbKtNnHrN91F8ujWsBWKJmi:KaIXTUCKimkvbzxxLNFDjWtI

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\FjQMtN.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exeregsvr32.exeregsvr32.exe

pid process

1996 e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1680 regsvr32.exe
984 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\khiiiolbfdojoeaboalecgmaccnmmekg\2.0\manifest.json	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\khiiiolbfdojoeaboalecgmaccnmmekg\2.0\manifest.json	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\khiiiolbfdojoeaboalecgmaccnmmekg\2.0\manifest.json	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\NoExplorer = "1"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ = "cosstminn"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ = "cosstminn"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Drops file in System32 directory 4 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Drops file in Program Files directory 8 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\cosstminn\FjQMtN.dat	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Program Files (x86)\cosstminn\FjQMtN.x64.dll	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File opened for modification	C:\Program Files (x86)\cosstminn\FjQMtN.x64.dll	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Program Files (x86)\cosstminn\FjQMtN.dll	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File opened for modification	C:\Program Files (x86)\cosstminn\FjQMtN.dll	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Program Files (x86)\cosstminn\FjQMtN.tlb	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File opened for modification	C:\Program Files (x86)\cosstminn\FjQMtN.tlb	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
File created	C:\Program Files (x86)\cosstminn\FjQMtN.dat	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exee54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\VersionIndependentProgID\ = "cosstminn"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ThreadingModel = "Apartment"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ProgID	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ = "cosstminn"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\Implemented Categories	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID\ = "{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\FjQMtN.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\FjQMtN.dll"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\VersionIndependentProgID	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\InprocServer32	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ProgID	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

pid	process
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	pid	process
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Token: SeDebugPrivilege	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exeregsvr32.exe

description	pid	process	target process
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1996 wrote to memory of 1680	1996	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 984	1680	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6C2098E5-21C4-9F76-D8FD-87F4F22115E2} = "1"	e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe

C:\Users\Admin\AppData\Local\Temp\e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe
"C:\Users\Admin\AppData\Local\Temp\e54b81b3b492b2d0fea0b3ec5a23bfd3070f014fde5c90a8fd1a476f6cee9839.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\cosstminn\FjQMtN.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\cosstminn\FjQMtN.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:984

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cosstminn\FjQMtN.dat
Filesize
4KB

MD5
caa33632bdb2b03a2381f19a87ce8439

SHA1
c286b78f9926c7d217eb0c9b9ab67ddb080e1e4a

SHA256
aa782c770454073cfccbc54a206a523b22543b05a5316f12e3d3957d1229575e

SHA512
f5baa7f1575ddedf15936094f7e0fe7d7f9cab560f5c9defa8e9f75021f4fb71acf4977f08d4234d83a84a3fa9d6f518a25cf42f2d207542e2011e263b55a495

Download Submit
C:\Program Files (x86)\cosstminn\FjQMtN.tlb
Filesize
3KB

MD5
3fdfaa71c68f31e83daf46b214ff8c89

SHA1
fe4a9d2172e9a94570f46fc151b94f90db08da77

SHA256
2d4e42ee22cf2171777f6f2aa232df7a2ad3445b6988ee2f2666ec2a863aca93

SHA512
392faf168a97d35fc4fa414844cae3662d231f18d5db55891e6cf281f34cef590cb94f6a650565b5b2bdf2c0899dc872c432106449604079f3283da241f2a100

Download Submit
C:\Program Files (x86)\cosstminn\FjQMtN.x64.dll
Filesize
687KB

MD5
cd1a0489adc1f05fc31a65eb26e08c92

SHA1
95af9d7095d36dee3e4d2e2952ca1a199c2bb596

SHA256
b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

SHA512
52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

Download Submit
\Program Files (x86)\cosstminn\FjQMtN.dll
Filesize
610KB

MD5
8c17652e3d7951221e9afeb07a4c71e6

SHA1
68aeb97e567f4e705d4126a60bd94ef567760b61

SHA256
4085d30c67ed3d336266d7dd5c2a1bfac8e6ba45f9240b31283e43ac9555ea24

SHA512
6f21a4058579e7babe1ee44199fc41bf282d6e0c92352c636f39160c7c9e61191f9eb4186dcba8f0a25cf51f97c181e3027f2bbcee9f723a85de159121655065

Download Submit
\Program Files (x86)\cosstminn\FjQMtN.x64.dll
Filesize
687KB

MD5
cd1a0489adc1f05fc31a65eb26e08c92

SHA1
95af9d7095d36dee3e4d2e2952ca1a199c2bb596

SHA256
b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

SHA512
52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

Download Submit
\Program Files (x86)\cosstminn\FjQMtN.x64.dll
Filesize
687KB

MD5
cd1a0489adc1f05fc31a65eb26e08c92

SHA1
95af9d7095d36dee3e4d2e2952ca1a199c2bb596

SHA256
b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

SHA512
52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

Download Submit
memory/984-85-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/984-84-0x0000000000000000-mapping.dmp

Download
memory/1680-80-0x0000000000000000-mapping.dmp

Download
memory/1996-65-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-78-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-69-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-71-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-70-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-72-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-73-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-74-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-75-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-76-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-77-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-67-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-68-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-66-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1996-64-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-63-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-62-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-61-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-60-0x00000000005D2000-0x00000000005D6000-memory.dmp

Filesize
16KB

Download
memory/1996-55-0x0000000000480000-0x0000000000520000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads