29e77b7f9e0bf2560fc15d5f4bcd23bbdc3999637b1f720cca4d4f02e88b117e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cb5826c9f4f25ab076b1458bd300f1d.exe
Size

1.6MB
MD5

8cb5826c9f4f25ab076b1458bd300f1d
SHA1

88e463d19c8cabd865e596986968757e773938ee
SHA256

29e77b7f9e0bf2560fc15d5f4bcd23bbdc3999637b1f720cca4d4f02e88b117e
SHA512

8bbdfdd3a1c388f1870bf9b90bcd201a91e3bf886ea988de0d2c447e86a690a2c5a4406665b247917e15c9832d482fd1f170e505034da4ea43925fa86cee25e7
SSDEEP

49152:JQagM/VkLHwbwexxcTcoOfhc8AxOVnbw+ij/TtCfjnbIc:GEVkLAxPo0c8hB9ijMjb9

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	cookieman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8cb5826c9f4f25ab076b1458bd300f1d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8cb5826c9f4f25ab076b1458bd300f1d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	8cb5826c9f4f25ab076b1458bd300f1d.exe
2136	8cb5826c9f4f25ab076b1458bd300f1d.exe
2736	8cb5826c9f4f25ab076b1458bd300f1d.exe
2736	8cb5826c9f4f25ab076b1458bd300f1d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	8cb5826c9f4f25ab076b1458bd300f1d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2736	8cb5826c9f4f25ab076b1458bd300f1d.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28
PID 2136 wrote to memory of 2736	2136	8cb5826c9f4f25ab076b1458bd300f1d.exe	28

C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe
"C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe
  "C:\Users\Admin\AppData\Local\Temp\8cb5826c9f4f25ab076b1458bd300f1d.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_f2a513b0"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- - C:\Users\Admin\AppData\LocalLow\cookieman.exe
    "C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read installiq.com
    3⤵
    - Executes dropped EXE
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cookie.ini

Filesize
34B

MD5
3f4519b56cb1e006dfe4341e72112913

SHA1
0ff5675d359c898b6a6bdc1dff10f71097bc9927

SHA256
125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2

SHA512
78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40

Download Submit
C:\Users\Admin\AppData\LocalLow\cookieman.exe

Filesize
45KB

MD5
9f311aeaab73b9cb6b963c75c0c22664

SHA1
dc168ad12ff00cdd1cb813966ffe7f67baab95c5

SHA256
61ff1ebc652ce8ce60a1f1f979f3068b1455c60aad2ca4c5989f53df57dde4f5

SHA512
1b39755db1d83d9eb330e2db60f413c431c7183ad1e3a1f1d63a7c14f02f73296d1e2814cf9f171ec7543cb21d4949707401c218ee0f26ea4230e3ef892b669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_f2a513b0\autorun.txt

Filesize
141B

MD5
690b8f7377a7cf17f298521cf98e8bc3

SHA1
6743ec81f5d421deb024ead4f690e0746ff850fd

SHA256
8589cc3b40172feac2691bf7406802c906386a8c6baba4bdcd9fd5e6e930e8ce

SHA512
83be2f79df50f2cd055d313dedbb267b7f28334fd7ef5eec5d605b3fb140645318ffeea886c48954d917707d085d248fdff19e8f8a4b80447d95d797d4842553

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_f2a513b0\wrapper.xml

Filesize
692B

MD5
44601e00ff712607d2a0b64de786d843

SHA1
5696d1604b564a38669035faf395f78c933d8717

SHA256
424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

SHA512
7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

Download Submit