ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd

General

Target

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Size

2.9MB
MD5

63fb721e15a6495fea24edd62e68d0e2
SHA1

75fe9324b20d79b3786ddd351f0e87194452abee
SHA256

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd
SHA512

3fd05db8569af2c96f232660707867f58e022bbc288e050e484cb1c82b100753bbf0e4261347b009476c6d42a4a1556e8a8fca1c4b9b4e63c8aa45f5777dc656
SSDEEP

49152:4/1EeXBpqSAN+4xOSVuGzZi8/zzQyZGj9//DTP0uGp4qR/jAFQ:uNRbA1ZGN/0uGp4q

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\P59Xc4CjV.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exeregsvr32.exeregsvr32.exe

pid process

316 ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
1852 regsvr32.exe
1868 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\anbdohcadkbennckdnpmfdkpndogilah\2.0\manifest.json	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\anbdohcadkbennckdnpmfdkpndogilah\2.0\manifest.json	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\anbdohcadkbennckdnpmfdkpndogilah\2.0\manifest.json	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}\ = "cosstminn"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}\NoExplorer = "1"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}\ = "cosstminn"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1758031E-F81F-963D-0E8C-98F4365C833A}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Drops file in System32 directory 4 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Drops file in Program Files directory 8 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	ioc	process
File created	C:\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Program Files (x86)\cosstminn\P59Xc4CjV.dll	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Program Files (x86)\cosstminn\P59Xc4CjV.dll	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Program Files (x86)\cosstminn\P59Xc4CjV.tlb	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Program Files (x86)\cosstminn\P59Xc4CjV.tlb	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File created	C:\Program Files (x86)\cosstminn\P59Xc4CjV.dat	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
File opened for modification	C:\Program Files (x86)\cosstminn\P59Xc4CjV.dat	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1758031E-F81F-963D-0E8C-98F4365C833A}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1758031E-F81F-963D-0E8C-98F4365C833A}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\ = "cosstminn"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\Implemented Categories	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\VersionIndependentProgID\ = "cosstminn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\VersionIndependentProgID\ = "cosstminn"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\VersionIndependentProgID	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\P59Xc4CjV.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{1758031E-F81F-963D-0E8C-98F4365C833A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\ProgID\ = "cosstminn.2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{1758031E-F81F-963D-0E8C-98F4365C833A}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID\ = "{1758031E-F81F-963D-0E8C-98F4365C833A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A}\Programmable	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

pid	process
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	pid	process
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Token: SeDebugPrivilege	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exeregsvr32.exe

description	pid	process	target process
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 316 wrote to memory of 1852	316	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 1868	1852	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1758031E-F81F-963D-0E8C-98F4365C833A} = "1"	ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe

C:\Users\Admin\AppData\Local\Temp\ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe
"C:\Users\Admin\AppData\Local\Temp\ae7118d9ed4ad9897a426c8de5dcabc58e4e9855092286e8b9dbfb0c9797aafd.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cosstminn\P59Xc4CjV.dat

Filesize
4KB

MD5
8b356b139e29b409e55ea269eafd01fa

SHA1
b4db97ee161a44f0e091220f620db55c4f1b15ce

SHA256
9f01206b1355304cf81168882f2b3d256501c610ea1ac69bd654e1f6d439e003

SHA512
ab96414a4478e86016c8aec496281e18af1470910bf5a94c4d066bf881f2a0c66c4f2a691f60ab598ba416e909644dfba14c9b4b93c35dc345dcb6a84eb736b3

Download Submit
C:\Program Files (x86)\cosstminn\P59Xc4CjV.tlb

Filesize
3KB

MD5
92756a87f506c53ffa4f08473e79b5ae

SHA1
125c2f2d08520c51f8746ede70f746ef8a6de3cf

SHA256
7e1a9e2e2faea603ec96b5d3a906eb86a495cbe2ca4be8bc6a902e7bf2981877

SHA512
1aaef6b900b931ed65d48b7258558ca3dad7b47c3f269f5b3af78210fbf07f438db132dfe8f5cf3f24d75b9ef5a537fa5c057f43d04c068220d4cfb8d93b192e

Download Submit
C:\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\cosstminn\P59Xc4CjV.dll

Filesize
610KB

MD5
44786626cc0757d485d2ae91232f06e7

SHA1
f8416c9f7d1647afa38f3304510f7ad9456af2c0

SHA256
5b0d904dbc30696d9ef9326edb60bb068514bc858a348534c4d91b5435618906

SHA512
f4dd00c5ca0bdf9f3f32d8c2ffcbe57bedf8bfbb1c1454a7af39d4c0bdc6e59de2dc98be304708272e7dd980f46e1b964497e40579f1406999aca49f3c054cdf

Download Submit
\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\cosstminn\P59Xc4CjV.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
memory/316-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/316-55-0x0000000000BE0000-0x0000000000C81000-memory.dmp

Filesize
644KB

Download
memory/1852-80-0x0000000000000000-mapping.dmp

Download
memory/1868-84-0x0000000000000000-mapping.dmp

Download
memory/1868-85-0x000007FEFC191000-0x000007FEFC193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads