44224dfaff9ffd9823b2fbb56d5e352d9cf50c4197a2acb432723d661c3c7e8d

General

Target

3699d6814e1a31c1be5e7f6322fd903e.exe
Size

1.6MB
MD5

3699d6814e1a31c1be5e7f6322fd903e
SHA1

54f582c43ccb80714111f04460f08e930a139282
SHA256

44224dfaff9ffd9823b2fbb56d5e352d9cf50c4197a2acb432723d661c3c7e8d
SHA512

d1ca136cecf4607fc0a1100cfbe68390fd93df4f857f1cb9e978cc856300e2606204b6e7a968f5330fa59e9810d4a78270ca13e31b89ac978812909486704c5b
SSDEEP

49152:s/fwUdLfGiPTStHxNtKgEAhK1kfqtOZ2Twjr5:swUdCi7KHs19tcl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3699d6814e1a31c1be5e7f6322fd903e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3699d6814e1a31c1be5e7f6322fd903e.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	3699d6814e1a31c1be5e7f6322fd903e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1272	3699d6814e1a31c1be5e7f6322fd903e.exe
1272	3699d6814e1a31c1be5e7f6322fd903e.exe
2036	3699d6814e1a31c1be5e7f6322fd903e.exe
2036	3699d6814e1a31c1be5e7f6322fd903e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2036	3699d6814e1a31c1be5e7f6322fd903e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2036	3699d6814e1a31c1be5e7f6322fd903e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	3699d6814e1a31c1be5e7f6322fd903e.exe
2036	3699d6814e1a31c1be5e7f6322fd903e.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28
PID 1272 wrote to memory of 2036	1272	3699d6814e1a31c1be5e7f6322fd903e.exe	28

C:\Users\Admin\AppData\Local\Temp\3699d6814e1a31c1be5e7f6322fd903e.exe
"C:\Users\Admin\AppData\Local\Temp\3699d6814e1a31c1be5e7f6322fd903e.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\3699d6814e1a31c1be5e7f6322fd903e.exe
  "C:\Users\Admin\AppData\Local\Temp\3699d6814e1a31c1be5e7f6322fd903e.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_75126e0"
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
16KB

MD5
54f03b04d57cd6c5e2733ce61fb491e0

SHA1
0f9efc2c9760a30cd88de3370134b521c40e306a

SHA256
7254e16ff2e5c4bca31056752e76b5f9f85e56076a81308b8599d46e5e919565

SHA512
ae85e7a7d4035d53ad74a961f6cc6401959154fcd1fe8203a12441c54286e31cc997fad133fcddb13652f2d048c9c8ff521f545a4adc6894dd90c5202175647b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_75126e0\autorun.txt

Filesize
108B

MD5
7ea6fb133fe37cc190fdfadc1f8e8bac

SHA1
4360d387176b4940f8d6c5ce77dde58a30d2cbf5

SHA256
d97e91a158cc746a6a0f6c6c962b3efe0e3e989112808804eae82d74a08b3a19

SHA512
fa560351d0b1de44245d056dfab4693c27677a981ec808155a6745242e965180979f01bb540e80ecbf9baca3e5dc60ef6753fd17800f5c0719ec6621d04bc85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_75126e0\wrapper.xml

Filesize
798B

MD5
1d45a29e3511b982a1f91b33c70e964f

SHA1
176a47b489be3f27dc354a2b9dd0b580bb2f3904

SHA256
0a69c29fe16727b18425df8ded1cfe9d07a380b9f23f1beb32f60fefc000b3dc

SHA512
c574719f56a9cc0a3c393001f0774a5826afa5972906d9d9d214a183724a9f7226483a7181a0030e0f801b481a19957761efc170a10850aec786623eb939eb69

Download Submit

Analysis

Sharing