c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3

General

Target

c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
Size

1.6MB
MD5

3cea162d7894e7423686e64d57c70dcc
SHA1

98ed66df327dca4ea080aecd1200188a58bd27c8
SHA256

c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3
SHA512

d86fd134818cbafee85293abef9ea8c1c46d9a603b54e8f0ef9ea7de1bd03b25094525b1fb3834a66370ce71bf7dd430bf065dec3f22202a9cb4b688af89570d
SSDEEP

49152:BkK5IVKw/au2e4FE2UgJlLQ7adasXTLjnbIT:6zauKZU1adasvjbC

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3684 created 1636	3684	svchost.exe	81

Executes dropped EXE 1 IoCs

pid	Process
5012	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1636	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1636	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1636	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
1636	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1636	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
Token: SeTcbPrivilege	3684	svchost.exe
Token: SeTcbPrivilege	3684	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1636	1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe	81
PID 1560 wrote to memory of 1636	1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe	81
PID 1560 wrote to memory of 1636	1560	c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe	81
PID 3684 wrote to memory of 5012	3684	svchost.exe	83
PID 3684 wrote to memory of 5012	3684	svchost.exe	83
PID 3684 wrote to memory of 5012	3684	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
"C:\Users\Admin\AppData\Local\Temp\c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe
  "C:\Users\Admin\AppData\Local\Temp\c697e3d9a2f9c4c1174d371c3bff9a97e4bb964f08ecea78d2e5e7ca4b91e8a3.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_b1d331a50"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_b1d331a50\autorun.txt

Filesize
114B

MD5
5f026a11355af20d63bda4e58bc09cbb

SHA1
b3708f3e60a755f74e98c85f673ab48fd2f1f64b

SHA256
736abb6e60490197179a9b4a7d90e897c6b682d7e7094e0bdbd489d0e9371db5

SHA512
fae1bb80485e7a5db0475cdca3c47bc166272eadfd9db28af70571b9e4d66cc445f6dd8d808002d989e871170e9b5448718dc6dedcc4553cb675d34a0cadb4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_b1d331a50\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit

Analysis

Sharing