f03774ecc29174c8f4b58ea1f1104ae9eabbc15fbe55249de35607efb511db4b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13804d4ac01fbac60e965d0905236fba.exe
Size

1.6MB
MD5

13804d4ac01fbac60e965d0905236fba
SHA1

307092fa21ff8e6cf9a228415c8be5b66ab5774d
SHA256

f03774ecc29174c8f4b58ea1f1104ae9eabbc15fbe55249de35607efb511db4b
SHA512

438b692c6223061f482d06c64d81cbdca04ec8e6ec5d43e289649d851eddf95d394ce409c6885c1d2506eb7454df4ae0b793e3e8133c648e3a260049cca0931a
SSDEEP

49152:TJChoHJ1m8Gb0v8jSaRowLfQTVR6x9rbT+TjnbIM:dJ1/IkTM9rSjbJ

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13804d4ac01fbac60e965d0905236fba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13804d4ac01fbac60e965d0905236fba.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	13804d4ac01fbac60e965d0905236fba.exe
2136	13804d4ac01fbac60e965d0905236fba.exe
2600	13804d4ac01fbac60e965d0905236fba.exe
2600	13804d4ac01fbac60e965d0905236fba.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	13804d4ac01fbac60e965d0905236fba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2600	13804d4ac01fbac60e965d0905236fba.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28
PID 2136 wrote to memory of 2600	2136	13804d4ac01fbac60e965d0905236fba.exe	28

C:\Users\Admin\AppData\Local\Temp\13804d4ac01fbac60e965d0905236fba.exe
"C:\Users\Admin\AppData\Local\Temp\13804d4ac01fbac60e965d0905236fba.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\13804d4ac01fbac60e965d0905236fba.exe
  "C:\Users\Admin\AppData\Local\Temp\13804d4ac01fbac60e965d0905236fba.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_d171c1410"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
93c285fffe3d40fb309bb05eb295d665

SHA1
865b6d25410f511185d8e8ea317b65d7abce1e8b

SHA256
49f20d50959b7955f8db511044ff15b78f66f9f9c763efb129fed908f6d8e691

SHA512
b64b693907c61ab903bdcd2d758e65dc615049f7bb295314ef28d5c789494478efd5606f1300f9b9825557834a87557ac1205c9ad483f19ed5b63f2a19dc1e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_d171c1410\autorun.txt

Filesize
92B

MD5
2e601571a19e2b45380dbc90ea48a700

SHA1
698b7df484a6789494ccc316a5d87be56698d98b

SHA256
15e2eba9bed10b658afdcf24dd54a333c72db478aa043ebe3e7555077e1c924b

SHA512
2fd78f0232aafc80d608a9f5ee0f16333e2bac55a62e84e622e1b8e4e387d1775432d1db12fea59f56e9a7dfc44b003018c2b2c8c9836558cf449ff923224501

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_d171c1410\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit