7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad

General

Target

7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
Size

1.6MB
MD5

1d60349bde6f642c894701dcc6735a61
SHA1

eb9da35c858838e499db10c117e1227cd9ab6c8f
SHA256

7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad
SHA512

2f6162a386288472a9e364fba8178b4dc6d28c43109ce84368fb5088cf76ae0c93e0624d939baf05156d4b2e28b0c46598df519e2dbb70e1e3552a4652a8e8d9
SSDEEP

49152:CkK5IVKw/au2e4FE2UgJlLQ7adasXTOjnbIr:NzauKZU1adasyjbW

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2732 created 964	2732	svchost.exe	79

Executes dropped EXE 1 IoCs

pid	Process
4972	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
964	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
964	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
964	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
964	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	964	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
Token: SeTcbPrivilege	2732	svchost.exe
Token: SeTcbPrivilege	2732	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 964	4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe	79
PID 4668 wrote to memory of 964	4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe	79
PID 4668 wrote to memory of 964	4668	7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe	79
PID 2732 wrote to memory of 4972	2732	svchost.exe	81
PID 2732 wrote to memory of 4972	2732	svchost.exe	81
PID 2732 wrote to memory of 4972	2732	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
"C:\Users\Admin\AppData\Local\Temp\7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe
  "C:\Users\Admin\AppData\Local\Temp\7f6b3d83c19a10de1dae5f8b008fa42b9ea5d1aaa80732a556d59a31821259ad.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_d14263c70"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
3f2fd35078f696539945889c26a92fe1

SHA1
60bfd55939008371d40479dffa07100fe5d80c9c

SHA256
8904e670b2a4ad89bab6e6bda2e1c3898fb602b1bf480631801df6eb16810e57

SHA512
ab2b6ad20108f0786d772fb412f3def468a71612b5c6d2b1893c75f856f129603651c6cf58505c6e0c563604f88af929abb5f299cd3300c0d9df81a34f59869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_d14263c70\autorun.txt

Filesize
121B

MD5
3b669ab44d080f5b64f47515ca0a5f55

SHA1
31dc38a89bfdbf5f732628e26889bd634fedd727

SHA256
f0ba7666c3678625c9935b03f568ca9334038a3b8c29a7aa4d4e345a1abe89c5

SHA512
f4404a533206c1e153c6c3b3cb9f2008c6a43cfb16401243cd529a78244259a4965a7e4393694d030c64b01d8b6269fe47a834f8555e01ac8ce6e9185327f069

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_d14263c70\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit

Analysis

Sharing