44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f

General

Target

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Size

2.9MB
MD5

619f94a96f83368d205f44d34fb24061
SHA1

2b996a2cf1e57cbd377b301cb1bbbde876b0ba7e
SHA256

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f
SHA512

e2a626e74da57433fe4f531a23fb9909404ab639dbef650cb501fbb0bcf2959f41bf0ca67de2bc5ae0ad57712358f1b70309b2ccfce62f81de6ca440851dad68
SSDEEP

49152:wNlIwOj323Z/CYbkOoZyNuWL5mq+9Ou4SzROsp6XmICGFbsbg1VL9enR:WWoFCYbMCLYcPxYmRQg1U

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\LVl_.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exeregsvr32.exeregsvr32.exe

pid process

1756 44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1008 regsvr32.exe
1860 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfobdanmjolnbejjohecamlhhffmmfeg\2.0\manifest.json	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfobdanmjolnbejjohecamlhhffmmfeg\2.0\manifest.json	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfobdanmjolnbejjohecamlhhffmmfeg\2.0\manifest.json	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ = "cosstminn"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\NoExplorer = "1"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ = "cosstminn"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Drops file in Program Files directory 8 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
File created	C:\Program Files (x86)\cosstminn\LVl_.dll	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Program Files (x86)\cosstminn\LVl_.dll	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Program Files (x86)\cosstminn\LVl_.tlb	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Program Files (x86)\cosstminn\LVl_.tlb	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Program Files (x86)\cosstminn\LVl_.dat	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Program Files (x86)\cosstminn\LVl_.dat	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File created	C:\Program Files (x86)\cosstminn\LVl_.x64.dll	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
File opened for modification	C:\Program Files (x86)\cosstminn\LVl_.x64.dll	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\LVl_.dll"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ProgID	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\VersionIndependentProgID\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\VersionIndependentProgID\ = "cosstminn"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ProgID	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\Programmable	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\LVl_.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\ = "cosstminn"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6}\VersionIndependentProgID	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

pid	process
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	pid	process
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Token: SeDebugPrivilege	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exeregsvr32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1756 wrote to memory of 1008	1756	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 1860	1008	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{D71742D5-0875-4EE8-5FA9-E2335EDEBEE6} = "1"	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe

C:\Users\Admin\AppData\Local\Temp\44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe
"C:\Users\Admin\AppData\Local\Temp\44fcb7c35a401ad0e320c992ef96b1d54e6564ec2a89ae9656d268049344c33f.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\cosstminn\LVl_.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\cosstminn\LVl_.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cosstminn\LVl_.dat

Filesize
4KB

MD5
613911524406c85d6254e9c3246ad5a9

SHA1
b0d5f8deaf1d3dd3876f013b62acd5fc1e61d922

SHA256
4862b819d2d1904015d6bc73989c799c73c31ad19e162fbfe76cfe48b9b914c1

SHA512
7e3785bd8cfe238db746b68316b0aaff7ae7a2d60287a7b31141d8a8a54f2003bdc0943d53002e3eaf65c0246ba9c451b8992b1fe177c0b1e8bf17afdc4585c3

Download Submit
C:\Program Files (x86)\cosstminn\LVl_.tlb

Filesize
3KB

MD5
531346571ee2e23320503dd0cf8dde04

SHA1
ed110980a7d9e2b1fe6e870291cfbcaf1d2c1219

SHA256
5a60546a281eb5a6961b925a60995cb8f888cc1a66e327e6263c21ea3d3b0e7c

SHA512
7e04a177e6375f382a88d01a43763e0f4be945426b6635b262597408a320b0e2f0aabea394a923be60c79a009c1737104b69cb5e47bc884215966a8cd679d691

Download Submit
C:\Program Files (x86)\cosstminn\LVl_.x64.dll

Filesize
687KB

MD5
81d4889568a6f6e358ca9a3d307765e1

SHA1
60990e17843d1de4b2ed29acd97e988c33b5e55e

SHA256
b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

SHA512
689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

Download Submit
\Program Files (x86)\cosstminn\LVl_.dll

Filesize
605KB

MD5
72ae14ac560cd862a9dc671547286d1b

SHA1
929cc12b75cbcbbb18ca5d1a8d463fd0bf607d19

SHA256
0e3cd6bddd4109628f9193cbd68da68a06d92bdc6afd2544b6d2cf7a25813f9a

SHA512
ebc2da889fb26a2137783e1fadbd7d6f9eed47449df6583efd9df66f89c6c05fd34d01c8da15cbf64d493f07bcbcc0d84800e7bbe34fb7d7e018c1a5de265c26

Download Submit
\Program Files (x86)\cosstminn\LVl_.x64.dll

Filesize
687KB

MD5
81d4889568a6f6e358ca9a3d307765e1

SHA1
60990e17843d1de4b2ed29acd97e988c33b5e55e

SHA256
b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

SHA512
689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

Download Submit
\Program Files (x86)\cosstminn\LVl_.x64.dll

Filesize
687KB

MD5
81d4889568a6f6e358ca9a3d307765e1

SHA1
60990e17843d1de4b2ed29acd97e988c33b5e55e

SHA256
b1b3213c365c3bb4047a30446181aab8cd835eda9a4ebfb02d29f8629d205bfc

SHA512
689289e254060a9f5e6e3c2ad69871c28cb9bd7cf5af16257a95a65205ae2c52c928737dac348084a8870f69de9f530c60f2895d4cfccc2275d0f8f25420f138

Download Submit
memory/1008-82-0x0000000000000000-mapping.dmp

Download
memory/1756-54-0x0000000076221000-0x0000000076223000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x00000000026B0000-0x0000000002752000-memory.dmp

Filesize
648KB

Download
memory/1860-86-0x0000000000000000-mapping.dmp

Download
memory/1860-87-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads