778488340b7251649c57c20db388fdd4c8fe51fc53193cba47ca57d4c4acf033

General

Target

4ab285feb1b4d06f8af34199ef42c8ba.exe
Size

1.6MB
MD5

4ab285feb1b4d06f8af34199ef42c8ba
SHA1

d4e3dcd7b30e5e8b1a64d08b68b04ade4241e9e6
SHA256

778488340b7251649c57c20db388fdd4c8fe51fc53193cba47ca57d4c4acf033
SHA512

4e4dbfa1907024f340cbbea9d2eaa21ccb4c198897f6d539210eca8aa7ea79cf27876f114e6324b48327e5fb37ae02e1299094961d2d6f5c7b17fdba59f4325b
SSDEEP

49152:+bfcx2eIzRet6PPwyo2MIvJtoiQKusITOtr3:+gx/My6vJ+gue

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ab285feb1b4d06f8af34199ef42c8ba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ab285feb1b4d06f8af34199ef42c8ba.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	4ab285feb1b4d06f8af34199ef42c8ba.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2548	4ab285feb1b4d06f8af34199ef42c8ba.exe
2548	4ab285feb1b4d06f8af34199ef42c8ba.exe
2748	4ab285feb1b4d06f8af34199ef42c8ba.exe
2748	4ab285feb1b4d06f8af34199ef42c8ba.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	4ab285feb1b4d06f8af34199ef42c8ba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2748	4ab285feb1b4d06f8af34199ef42c8ba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	4ab285feb1b4d06f8af34199ef42c8ba.exe
2748	4ab285feb1b4d06f8af34199ef42c8ba.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28
PID 2548 wrote to memory of 2748	2548	4ab285feb1b4d06f8af34199ef42c8ba.exe	28

C:\Users\Admin\AppData\Local\Temp\4ab285feb1b4d06f8af34199ef42c8ba.exe
"C:\Users\Admin\AppData\Local\Temp\4ab285feb1b4d06f8af34199ef42c8ba.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\4ab285feb1b4d06f8af34199ef42c8ba.exe
  "C:\Users\Admin\AppData\Local\Temp\4ab285feb1b4d06f8af34199ef42c8ba.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_62431410"
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2748
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
e9f890b0cc57ffc4cbf579004f00e99e

SHA1
15250500d0dfda4f767c2327af2c42463b95f80e

SHA256
3a6a3f4a09a5e9056ae2ed9e1f9e1919acaa7a5bae5e2a90494b6bd591d0c2c1

SHA512
6a2104916e3e2ae15c810f5b2ac28d3298a32a123e187ed5e1aa4854b0c603f6c2c8a4cbf008eeaad45fadc176dfecc1ed3f9826d8a6c9c0538daf76120d729b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_62431410\autorun.txt

Filesize
124B

MD5
e0d4d58403775a0a8c1a47474e361a82

SHA1
d58fb871665b106659a29bb664d29a38773ef941

SHA256
1ece227b42dcb95613ca0b3a6a13231cd5f313feb544eb985c3a0a6b54ffb6d2

SHA512
2fd6449ff00ffabe2ec113536d230c2e59a3bd87786e4d706fe0bd80e0e4988ba3accc3e136ff94b4bb3469e5a053224379ba2cd7a3b082890e73df644ec861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_62431410\wrapper.xml

Filesize
1KB

MD5
3db83f039ef0c6d0f9a2db8e02ab744a

SHA1
f0ef7f3666933e3d46f2467f7a48722078de6615

SHA256
9a7e0e42263fce0d4521921818a757ff2ca485d16052e8e3287bc281a323daf6

SHA512
ba9b807533475d4629b6c798e1fb5ea6a385e26885023461c0167a7effd1878875be5a5c3206c1d04e06c45a929eb841d2bb53663628874b2f030cb2ae0155f1

Download Submit

Analysis

Sharing