39ec888f14a32ee8d86e3b1a0fb537380ae7569ef8227830e9482ce068a74003

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05e722cae151a6aa0eec327c16dc36cc.exe
Size

1.6MB
MD5

05e722cae151a6aa0eec327c16dc36cc
SHA1

1a1d8f7bedceeb05f088e164f144a8c76389a905
SHA256

39ec888f14a32ee8d86e3b1a0fb537380ae7569ef8227830e9482ce068a74003
SHA512

3509362f988bed3229e096ccb1fede5d735c95741cdce92b1f98a7cc9ba4491985f90842b57b7df7abe80ff1734cff9ec16665250f265b88f6c5f82254c2cd39
SSDEEP

49152:wil10spOIUcuzvFWiFbFPIakEfREyqcjFBT4WDTtO3jnbIB:VlrnUcMWeE6jrThUjbs

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	05e722cae151a6aa0eec327c16dc36cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	05e722cae151a6aa0eec327c16dc36cc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1660	05e722cae151a6aa0eec327c16dc36cc.exe
1660	05e722cae151a6aa0eec327c16dc36cc.exe
2680	05e722cae151a6aa0eec327c16dc36cc.exe
2680	05e722cae151a6aa0eec327c16dc36cc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	05e722cae151a6aa0eec327c16dc36cc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2680	05e722cae151a6aa0eec327c16dc36cc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28
PID 1660 wrote to memory of 2680	1660	05e722cae151a6aa0eec327c16dc36cc.exe	28

C:\Users\Admin\AppData\Local\Temp\05e722cae151a6aa0eec327c16dc36cc.exe
"C:\Users\Admin\AppData\Local\Temp\05e722cae151a6aa0eec327c16dc36cc.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\05e722cae151a6aa0eec327c16dc36cc.exe
  "C:\Users\Admin\AppData\Local\Temp\05e722cae151a6aa0eec327c16dc36cc.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_01110110"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
464785e8dc7a5ef92cb25009156d8f3e

SHA1
4a51dc06bf3532d2fc17c2f26bed30be9005afd0

SHA256
fac1d0e85362f595a2d9aa27ec3b0c0f33a8c5eaae722fc63f102763d196a11d

SHA512
319a0092641484dbf808c50e71d0faaf35b60d48584c852e23b0b45519e61f7103831c8c7abf6fb6b7cd002ef5cf388b719a3a049000808ac36e612541316a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_01110110\autorun.txt

Filesize
84B

MD5
b9a0d4a56680e13113c8088a47036e16

SHA1
8d6c22bc1fa47b2a85c2f4592914048bd1d19624

SHA256
965b09690fb9b09e521846400840927ffcf983b6275bb10d6e4c2600edf2c1f6

SHA512
0678558b2a07a74a99733d39774cfe365d5a95983707f1cee7611480695063cb257da8b67155c00cf77d5e5d5fa764e7eac3c9ea04a0f03c044462dd61d8ce60

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_01110110\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit