635c4c20c790078d4e8607c724ae6da82e3d02f5418d11ae537cf55c9c253c40

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

401cb6985e473798db8225f618224bcd.exe
Size

1.6MB
MD5

401cb6985e473798db8225f618224bcd
SHA1

a4c9cd39b7a31a5767bb6fae43012ce60ac5e8ea
SHA256

635c4c20c790078d4e8607c724ae6da82e3d02f5418d11ae537cf55c9c253c40
SHA512

930b0eb1c62858e7cbcd881e33c29e6b3d3f5b571cfd1d70b80e8faa9fb0102171a8b01243b394dbaa80c145d9ea62ff8ab8e59c7fbb3149708aae19b441f7a9
SSDEEP

49152:Q/fwUdeRW1s5ycjkcSZEDghtAkf4tJh8TNkra:QwUdf1GXj6BGt3i

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	cookieman.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	401cb6985e473798db8225f618224bcd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	401cb6985e473798db8225f618224bcd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	401cb6985e473798db8225f618224bcd.exe
2936	401cb6985e473798db8225f618224bcd.exe
2748	401cb6985e473798db8225f618224bcd.exe
2748	401cb6985e473798db8225f618224bcd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2748	401cb6985e473798db8225f618224bcd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	401cb6985e473798db8225f618224bcd.exe
2748	401cb6985e473798db8225f618224bcd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16
PID 2936 wrote to memory of 2748	2936	401cb6985e473798db8225f618224bcd.exe	16

C:\Users\Admin\AppData\Local\Temp\401cb6985e473798db8225f618224bcd.exe
"C:\Users\Admin\AppData\Local\Temp\401cb6985e473798db8225f618224bcd.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_61381480"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748
- C:\Users\Admin\AppData\LocalLow\cookieman.exe
  "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
  2⤵
  - Executes dropped EXE
  PID:2732

C:\Users\Admin\AppData\Local\Temp\401cb6985e473798db8225f618224bcd.exe
"C:\Users\Admin\AppData\Local\Temp\401cb6985e473798db8225f618224bcd.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkg_61381480\autorun.txt

Filesize
91B

MD5
5ee9b56a17afe85201df863907abcc9d

SHA1
576f587403b3b7e6a8725d9c2bcc56ee89f2b2fd

SHA256
de136ff23bf8c2d3fb94a51100af83ea2bae4a4aeec329dab2695688c9c84c36

SHA512
d25c64dbeea476993d763a76518e534aa0d789b25878a354dbdb9424d1768300eb4ac85f210298a690f6d5d4239da1e5b81b001e82db26e5db163ccd3d16f5f8

Download Submit