d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87

General

Target

d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
Size

1.8MB
MD5

a59a4787cead2fc8292e646d50657041
SHA1

685d54f77a6808a0ef10ae80508519d578c489c3
SHA256

d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87
SHA512

07c6838694ff0361451c5b7dfe4bbe9b8e9346b7b8e10fc14bb8965619f22f141f1435d7f72498655e44a3df6f775c82b5ccc7c3b0f54c0f3a4fc7f015efa2a0
SSDEEP

24576:Mcocf49vcQKqrsu22upB+RFUcmSuf4VSjRv1vxOWnUL9K5b1w2TLjTJe65h8qDYR:McPSMCP84VSjVO5LMR1w2Tb5hPKZ

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1016 created 4264	1016	svchost.exe	81

Executes dropped EXE 1 IoCs

pid	Process
260	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
4264	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
4264	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
4264	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
4264	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4264	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
Token: SeTcbPrivilege	1016	svchost.exe
Token: SeTcbPrivilege	1016	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4264	2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	81
PID 2672 wrote to memory of 4264	2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	81
PID 2672 wrote to memory of 4264	2672	d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe	81
PID 1016 wrote to memory of 260	1016	svchost.exe	83
PID 1016 wrote to memory of 260	1016	svchost.exe	83
PID 1016 wrote to memory of 260	1016	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
"C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe
  "C:\Users\Admin\AppData\Local\Temp\d1cbcf8f6961580cf8c6fa3c1c3f9cb982463e393125c1f0ca2dea710a8bab87.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_701c470" /pproc="explorer.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
62KB

MD5
d08288fc3c69e61dc0a1ca4744c18750

SHA1
f3bc8fcd38ce1a300678de6421e11fc16799e754

SHA256
71a48a941d12f6e037f39365a4c1c575fe2ee8d3af3a070c3149cbb11338df0b

SHA512
a9c9a94c900803e8638d9e35606109592108f67b53d043e17a3d009cd5edcfb18c7f667ccbeedb45cff3cebb6c1d640b1a29d512113d75d2d4399204b4df4efc

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
62KB

MD5
d08288fc3c69e61dc0a1ca4744c18750

SHA1
f3bc8fcd38ce1a300678de6421e11fc16799e754

SHA256
71a48a941d12f6e037f39365a4c1c575fe2ee8d3af3a070c3149cbb11338df0b

SHA512
a9c9a94c900803e8638d9e35606109592108f67b53d043e17a3d009cd5edcfb18c7f667ccbeedb45cff3cebb6c1d640b1a29d512113d75d2d4399204b4df4efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_701c470\autorun.txt

Filesize
75B

MD5
63252584e8aa11f77871838a6129c2b3

SHA1
064f7a3330351825b6d0dd200c1bc9e4ed45b3fd

SHA256
9a4c2cfa6b8b1be3f70bf8a8af7a49e54fb182058e0441fc77968f5b67eeafab

SHA512
76a0878041258b00e3383f48f60942ad5d0b3d9e8e3021160ae58c4a700d20e86ee8b62846336a1b770c3196d4fc46430e430f1ebdfe075915a5b1df51529b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_701c470\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit

Analysis

Sharing