d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87

General

Target

d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
Size

1.8MB
MD5

a59a4787cead2fc8292e646d50657041
SHA1

685d54f77a6808a0ef10ae80508519d578c489c3
SHA256

d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87
SHA512

07c6838694ff0361451c5b7dfe4bbe9b8e9346b7b8e10fc14bb8965619f22f141f1435d7f72498655e44a3df6f775c82b5ccc7c3b0f54c0f3a4fc7f015efa2a0
SSDEEP

24576:Mcocf49vcQKqrsu22upB+RFUcmSuf4VSjRv1vxOWnUL9K5b1w2TLjTJe65h8qDYR:McPSMCP84VSjVO5LMR1w2Tb5hPKZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
1932	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
1932	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1932	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27
PID 1880 wrote to memory of 1932	1880	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	27

C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
"C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
  "C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_70161140" /pproc="explorer.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
62KB

MD5
d08288fc3c69e61dc0a1ca4744c18750

SHA1
f3bc8fcd38ce1a300678de6421e11fc16799e754

SHA256
71a48a941d12f6e037f39365a4c1c575fe2ee8d3af3a070c3149cbb11338df0b

SHA512
a9c9a94c900803e8638d9e35606109592108f67b53d043e17a3d009cd5edcfb18c7f667ccbeedb45cff3cebb6c1d640b1a29d512113d75d2d4399204b4df4efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_70161140\autorun.txt

Filesize
75B

MD5
63252584e8aa11f77871838a6129c2b3

SHA1
064f7a3330351825b6d0dd200c1bc9e4ed45b3fd

SHA256
9a4c2cfa6b8b1be3f70bf8a8af7a49e54fb182058e0441fc77968f5b67eeafab

SHA512
76a0878041258b00e3383f48f60942ad5d0b3d9e8e3021160ae58c4a700d20e86ee8b62846336a1b770c3196d4fc46430e430f1ebdfe075915a5b1df51529b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_70161140\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit
memory/1880-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing