8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79

General

Target

8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
Size

1.6MB
MD5

2149c70a107af00d8706c7494a292320
SHA1

fe911e4c8f4058bb87ecfe8a6dd02f56228c2fc8
SHA256

8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79
SHA512

4cfd3e299cd3c9a529d9f49d88ba90e612b3305400ed1a86abe4d75185ab3bebf2106b1c78827d83e62db7ffb9b5aa140bb81c6c5b97fbd16121f1bdb29a041e
SSDEEP

49152:PkK5IVKw/au2e4FE2UgJlLQ7adasXT7jnbI1:szauKZU1adas/jbg

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1588 created 2620	1588	svchost.exe	79

Executes dropped EXE 1 IoCs

pid	Process
1648	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
2620	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
2620	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
2620	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
2620	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2620	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
Token: SeTcbPrivilege	1588	svchost.exe
Token: SeTcbPrivilege	1588	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2620	5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe	79
PID 5088 wrote to memory of 2620	5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe	79
PID 5088 wrote to memory of 2620	5088	8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe	79
PID 1588 wrote to memory of 1648	1588	svchost.exe	81
PID 1588 wrote to memory of 1648	1588	svchost.exe	81
PID 1588 wrote to memory of 1648	1588	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
"C:\Users\Admin\AppData\Local\Temp\8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe
  "C:\Users\Admin\AppData\Local\Temp\8084637376250c221755f2406c760029c32fbb688fe97baa4e67f1aa8c783e79.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_c1fc15b0"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_c1fc15b0\autorun.txt

Filesize
126B

MD5
1e6620b57a60c3b24c5af0f98d11014c

SHA1
490eab43374da27637cba3c58f4e55cc6a08ec01

SHA256
b811414158047faad6ad8472aa4207952af85f333ffd20ac5cb586152e2f093b

SHA512
8b695c16ee2ffb8b679d1f0871d03b15930f8893ed1a5de33778964f4e51521659a30b199e1a35d5d5334d175bf8911f3a7bb34c6891c6b1b146b64eebe8093f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_c1fc15b0\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit

Analysis

Sharing