Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Resource
win10v2004-20220812-en
General
-
Target
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
-
Size
3.2MB
-
MD5
d5aadcf5df636b34068edf4baae62041
-
SHA1
f28b4c4c51dbf1bee8b3e51b4c9565538b62ef90
-
SHA256
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0
-
SHA512
f506c348a21e328353df22582118b7e57866ea20260769e97a52c0f7657dc61e9de5ccfbea98284821cc13c000e44b5d6583c2fcc89994bcd34ac83e100b7df5
-
SSDEEP
98304:FrRU6IoGkLhXTK/gkCxQtl96jI5VkoZ/TuNUvh:bXx6gkCdjIP/IU
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32 regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exeregsvr32.exepid process 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1800 regsvr32.exe 1968 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exea41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ = "cosstminn" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ = "cosstminn" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\NoExplorer = "1" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exedescription ioc process File opened for modification C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File created C:\Program Files (x86)\cosstminn\JkeGaO7.dll a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File opened for modification C:\Program Files (x86)\cosstminn\JkeGaO7.dll a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File created C:\Program Files (x86)\cosstminn\JkeGaO7.tlb a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File opened for modification C:\Program Files (x86)\cosstminn\JkeGaO7.tlb a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File created C:\Program Files (x86)\cosstminn\JkeGaO7.dat a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File opened for modification C:\Program Files (x86)\cosstminn\JkeGaO7.dat a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe File created C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe -
Processes:
regsvr32.exea41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.tlb" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID\ = "cosstminn" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID\ = "cosstminn" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\cosstminn" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Implemented Categories a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ProgID a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ProgID\ = "cosstminn.2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID\ = "{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exepid process 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exedescription pid process Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Token: SeDebugPrivilege 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exedescription pid process target process PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1424 wrote to memory of 1800 1424 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe PID 1800 wrote to memory of 1968 1800 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} = "1" a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe"C:\Users\Admin\AppData\Local\Temp\a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1424 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\cosstminn\JkeGaO7.datFilesize
3KB
MD598f9a26da2ee3170794b66260f1ec85a
SHA1ba8e61e336c545ba2954748dd52732c0d0c19cb6
SHA25638e3d7ba4165e77d0af28ef770bb16cf54d98caf8801f74c744334382fca4cc3
SHA512d43a5418afa5cfe93316b809e356737961b0fdc3593e80a98638965a1904b5bb04e4d638a4f59cb2139affeb352e418ee46c006867ea912478bc285b048a1df1
-
C:\Program Files (x86)\cosstminn\JkeGaO7.tlbFilesize
3KB
MD56101ac132c9a4133107178f12e0b25d4
SHA164a9d5d3ec0be4ef322776c28b5d6ac90df0ffd4
SHA256f9b73914e458e514e06360d95a365c2d40293b3f77ee55a0f0c40ccca5f735e6
SHA5127fcc1021f536fd417368333c4e45e656feb2bdedb6658f2ad6b9eb0f0c51dbe70c2d3f2a3a32695af3715e6dcdf7503734e58431405701d7058d106357dbebeb
-
C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dllFilesize
694KB
MD5c5ad41a0a13f64e21316c8e2ec186327
SHA113c9bf4d8288119095b7ef72f51322968bfd9b9e
SHA2562af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1
SHA51245e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4
-
\Program Files (x86)\cosstminn\JkeGaO7.dllFilesize
614KB
MD561edf8c8862834aa1b2ecf8f61fc3379
SHA15cb8cd66cf5c5fe8a2b73226b4a0257cea17150a
SHA2568ced8d83b9d40ee1748b1a3c52aaa3f2693709f92926a804cc1019f989850232
SHA51235bd23bf8094f4b765fdf8436936c23048524c97d9e4d59ca1a749c1206b2b90c5f500848dbfa207567a2174dd94889dedf8f150feafe382e226e6c677d1d9da
-
\Program Files (x86)\cosstminn\JkeGaO7.x64.dllFilesize
694KB
MD5c5ad41a0a13f64e21316c8e2ec186327
SHA113c9bf4d8288119095b7ef72f51322968bfd9b9e
SHA2562af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1
SHA51245e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4
-
\Program Files (x86)\cosstminn\JkeGaO7.x64.dllFilesize
694KB
MD5c5ad41a0a13f64e21316c8e2ec186327
SHA113c9bf4d8288119095b7ef72f51322968bfd9b9e
SHA2562af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1
SHA51245e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4
-
memory/1424-65-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-74-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-66-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-67-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-68-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-69-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-70-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-71-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-72-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-73-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-75-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1424-76-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-64-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-55-0x0000000001010000-0x00000000010B6000-memory.dmpFilesize
664KB
-
memory/1424-63-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-62-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-60-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1424-61-0x0000000000382000-0x0000000000386000-memory.dmpFilesize
16KB
-
memory/1800-78-0x0000000000000000-mapping.dmp
-
memory/1968-83-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB
-
memory/1968-82-0x0000000000000000-mapping.dmp