a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0

General

Target

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Size

3.2MB
MD5

d5aadcf5df636b34068edf4baae62041
SHA1

f28b4c4c51dbf1bee8b3e51b4c9565538b62ef90
SHA256

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0
SHA512

f506c348a21e328353df22582118b7e57866ea20260769e97a52c0f7657dc61e9de5ccfbea98284821cc13c000e44b5d6583c2fcc89994bcd34ac83e100b7df5
SSDEEP

98304:FrRU6IoGkLhXTK/gkCxQtl96jI5VkoZ/TuNUvh:bXx6gkCdjIP/IU

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exeregsvr32.exe

pid process

4868 a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
3972 regsvr32.exe
1944 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ = "cosstminn"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\NoExplorer = "1"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ = "cosstminn"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

description	ioc	process
File created	C:\Program Files (x86)\cosstminn\JkeGaO7.tlb	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File opened for modification	C:\Program Files (x86)\cosstminn\JkeGaO7.tlb	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File created	C:\Program Files (x86)\cosstminn\JkeGaO7.dat	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File opened for modification	C:\Program Files (x86)\cosstminn\JkeGaO7.dat	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File created	C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File opened for modification	C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File created	C:\Program Files (x86)\cosstminn\JkeGaO7.dll	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
File opened for modification	C:\Program Files (x86)\cosstminn\JkeGaO7.dll	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exea41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

Modifies registry class 64 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Programmable	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.dll"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID\ = "cosstminn"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID\ = "{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CLSID\ = "{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\ = "cosstminn"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Implemented Categories	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ = "cosstminn"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\ProgID\ = "cosstminn.2.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Programmable	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\ = "cosstminn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn.2.0\CLSID	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\cosstminn\\JkeGaO7.tlb"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cosstminn.cosstminn\CurVer\ = "cosstminn.2.0"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\InprocServer32\ThreadingModel = "Apartment"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39}\VersionIndependentProgID	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

pid	process
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

description	pid	process
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
Token: SeDebugPrivilege	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exeregsvr32.exe

description	pid	process	target process
PID 4868 wrote to memory of 3972	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe	regsvr32.exe
PID 4868 wrote to memory of 3972	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe	regsvr32.exe
PID 4868 wrote to memory of 3972	4868	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe	regsvr32.exe
PID 3972 wrote to memory of 1944	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 1944	3972	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{F7A2593E-0DB6-8F4F-9613-17B6586F5F39} = "1"	a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe

C:\Users\Admin\AppData\Local\Temp\a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe
"C:\Users\Admin\AppData\Local\Temp\a41cf84d0d919f93fb7c6d35447d4aac9340d779c9a10bd555171acf3f1773e0.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cosstminn\JkeGaO7.dat
Filesize
3KB

MD5
98f9a26da2ee3170794b66260f1ec85a

SHA1
ba8e61e336c545ba2954748dd52732c0d0c19cb6

SHA256
38e3d7ba4165e77d0af28ef770bb16cf54d98caf8801f74c744334382fca4cc3

SHA512
d43a5418afa5cfe93316b809e356737961b0fdc3593e80a98638965a1904b5bb04e4d638a4f59cb2139affeb352e418ee46c006867ea912478bc285b048a1df1

Download Submit
C:\Program Files (x86)\cosstminn\JkeGaO7.dll
Filesize
614KB

MD5
61edf8c8862834aa1b2ecf8f61fc3379

SHA1
5cb8cd66cf5c5fe8a2b73226b4a0257cea17150a

SHA256
8ced8d83b9d40ee1748b1a3c52aaa3f2693709f92926a804cc1019f989850232

SHA512
35bd23bf8094f4b765fdf8436936c23048524c97d9e4d59ca1a749c1206b2b90c5f500848dbfa207567a2174dd94889dedf8f150feafe382e226e6c677d1d9da

Download Submit
C:\Program Files (x86)\cosstminn\JkeGaO7.tlb
Filesize
3KB

MD5
6101ac132c9a4133107178f12e0b25d4

SHA1
64a9d5d3ec0be4ef322776c28b5d6ac90df0ffd4

SHA256
f9b73914e458e514e06360d95a365c2d40293b3f77ee55a0f0c40ccca5f735e6

SHA512
7fcc1021f536fd417368333c4e45e656feb2bdedb6658f2ad6b9eb0f0c51dbe70c2d3f2a3a32695af3715e6dcdf7503734e58431405701d7058d106357dbebeb

Download Submit
C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll
Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll
Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
C:\Program Files (x86)\cosstminn\JkeGaO7.x64.dll
Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
memory/1944-158-0x0000000000000000-mapping.dmp

Download
memory/3972-155-0x0000000000000000-mapping.dmp

Download
memory/4868-142-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-153-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-146-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-149-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-150-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-151-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-148-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-147-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-152-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-145-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-144-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-143-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-132-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4868-141-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-137-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-138-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-140-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download
memory/4868-139-0x00000000014D0000-0x00000000014D3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads