cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a

General

Target

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Size

2.8MB
MD5

db46e582064f971695def55152f82206
SHA1

cec8c4b2f685f75e1b4de0af785911c36875517a
SHA256

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a
SHA512

39ce713b1488abafa9eee62f88846fb00f6673c6cfccd403ae824a5b069d6507b612fbe3438e17d7198b9f9d3583d491dbb0598c50ef86d956e0e4a185693006
SSDEEP

49152:O9rT/PCAOgOr4K3o9hRTt/wc9rI4GrOh4oPMLchvlHqJ/cSbiRMav40BN7pp6c1O:iT/XOgsdMsc9rIDih4oUGvh7S+iO4c6H

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\1o.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exeregsvr32.exeregsvr32.exe

pid process

1408 cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1808 regsvr32.exe
1752 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcboefmbbmchbplcmnifkoeochifnmgo\2.0\manifest.json	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcboefmbbmchbplcmnifkoeochifnmgo\2.0\manifest.json	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcboefmbbmchbplcmnifkoeochifnmgo\2.0\manifest.json	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}\ = "cosstminn"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}\ = "cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F41A6A8A-1997-9F16-1255-B19298FE6950}\NoExplorer = "1"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Drops file in System32 directory 4 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Windows\System32\GroupPolicy	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Drops file in Program Files directory 8 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\cosstminn\1o.dat	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Program Files (x86)\cosstminn\1o.x64.dll	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Program Files (x86)\cosstminn\1o.x64.dll	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Program Files (x86)\cosstminn\1o.dll	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Program Files (x86)\cosstminn\1o.dll	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Program Files (x86)\cosstminn\1o.tlb	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File opened for modification	C:\Program Files (x86)\cosstminn\1o.tlb	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
File created	C:\Program Files (x86)\cosstminn\1o.dat	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.execb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41A6A8A-1997-9F16-1255-B19298FE6950}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F41A6A8A-1997-9F16-1255-B19298FE6950}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Programmable	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\ = "cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\VersionIndependentProgID\ = "cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID\ = "{F41A6A8A-1997-9F16-1255-B19298FE6950}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Implemented Categories	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{F41A6A8A-1997-9F16-1255-B19298FE6950}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\VersionIndependentProgID\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\VersionIndependentProgID	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\cosstminn\\1o.tlb"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32\ThreadingModel = "Apartment"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

pid	process
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	pid	process
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Token: SeDebugPrivilege	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exeregsvr32.exe

description	pid	process	target process
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1408 wrote to memory of 1808	1408	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1752	1808	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{F41A6A8A-1997-9F16-1255-B19298FE6950} = "1"	cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe

C:\Users\Admin\AppData\Local\Temp\cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe
"C:\Users\Admin\AppData\Local\Temp\cb1d854e84dadc82088b2c7beb542e02b68ebfe236fd36481fb7bc1d2156d96a.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1408

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\cosstminn\1o.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\cosstminn\1o.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cosstminn\1o.dat

Filesize
4KB

MD5
162e4f0c652265528218b7866cebc4a0

SHA1
d7cd167084a64c05853dc4b0cf47d35b71553702

SHA256
b6d507699713fbe3f19c93efee8c2a649155a4e13a2c246403fc510c64eeba67

SHA512
a065804386e08acded68ecd175facbdbdb58a51be8b057725bff703aafa352a4169bd29ca10ffa2d08dc66b9c8bcb985b29f8cd0f7fbbb59b7fac58f60358a0b

Download Submit
C:\Program Files (x86)\cosstminn\1o.tlb

Filesize
3KB

MD5
ee5a227830ec3db5afb6d542084d285f

SHA1
c78b0b9eb845a0a52b517c156ee3caafc9a1ad5c

SHA256
7e3e1d23c30946ec66d8bcf59e330ee9e38fac7416c0c6eb3eaafd0d8ef282a1

SHA512
50f62ec0e3704aa745e9bf449e215ba8a48321944a1023f9ed71e2f92faf8ea24d9c8cc5738385c1c2cd05fa988ebd183a0a9162772cc77791913aa485053927

Download Submit
C:\Program Files (x86)\cosstminn\1o.x64.dll

Filesize
685KB

MD5
174c7bd231f467a6cb6f15483b0e869c

SHA1
c633e908c513917f29491e59b34a0d5201cc4818

SHA256
0f7da568dce022e68239f1cb8688a669982765a180af56a5c2785cd455d03abc

SHA512
cbd1fc903e006f8fd7f1fb6f6eeac4c5e94d028855c8b3c1f453ad8958c4c959572cdaf60ea641787ec979d14794bff567e9f6983d991612acfea8508e81a93b

Download Submit
\Program Files (x86)\cosstminn\1o.dll

Filesize
605KB

MD5
a0d4eedcfefa3236995e8be50ded506c

SHA1
02e37daee41de8cbecd4021374536d838ca6f9fa

SHA256
485ba6f566fd2284ae6e9e38c87fb244dcc5ce118bd75d1d6191c3586f925e56

SHA512
00e804232ef5517c77396b70bcaaa4810e7a892753b0f153ffa1e76d6b4a6d6aebc31fa90d34c46ad41dd96208e7cb260c547e679bdab35b1e896b17d29ec5b3

Download Submit
\Program Files (x86)\cosstminn\1o.x64.dll

Filesize
685KB

MD5
174c7bd231f467a6cb6f15483b0e869c

SHA1
c633e908c513917f29491e59b34a0d5201cc4818

SHA256
0f7da568dce022e68239f1cb8688a669982765a180af56a5c2785cd455d03abc

SHA512
cbd1fc903e006f8fd7f1fb6f6eeac4c5e94d028855c8b3c1f453ad8958c4c959572cdaf60ea641787ec979d14794bff567e9f6983d991612acfea8508e81a93b

Download Submit
\Program Files (x86)\cosstminn\1o.x64.dll

Filesize
685KB

MD5
174c7bd231f467a6cb6f15483b0e869c

SHA1
c633e908c513917f29491e59b34a0d5201cc4818

SHA256
0f7da568dce022e68239f1cb8688a669982765a180af56a5c2785cd455d03abc

SHA512
cbd1fc903e006f8fd7f1fb6f6eeac4c5e94d028855c8b3c1f453ad8958c4c959572cdaf60ea641787ec979d14794bff567e9f6983d991612acfea8508e81a93b

Download Submit
memory/1408-72-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-77-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-66-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-67-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-68-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-69-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-70-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-71-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-73-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-74-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-75-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-76-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-65-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-78-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-79-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-64-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-55-0x0000000000730000-0x00000000007D8000-memory.dmp

Filesize
672KB

Download
memory/1408-63-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-62-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-60-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1408-61-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1752-86-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1752-85-0x0000000000000000-mapping.dmp

Download
memory/1808-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads