Overview

overview

10

Static

static

10

0b26abc692...ce.dll

windows7-x64

10

0b26abc692...ce.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04/08/2024, 01:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce.dll

  • Size

    141KB

  • MD5

    2492aca399dfaf75e761586844734980

  • SHA1

    c7d147e588fe5ec6101bf69ec0dbc5d2252fbad6

  • SHA256

    0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce

  • SHA512

    1ce1a434b2cc5498b5547720d4eaf14a907b359492a1694847bb3119ca4b0b6ba8bfad02e2a39c71111aacd637db224a6b44c77c7469d19b9cbea4deab4b15fd

  • SSDEEP

    3072:HACxLpcTIhjZM3VhHSkYl8CagwurZvE9vV1ZQ6R:HTtpcPlJSTl4Pu8

Score
10/10
warmcookiebackdoordiscovery

Malware Config

Extracted

Family

warmcookie

C2

185.49.69.41

Attributes
  • mutex

    0b664cde-8833-4945-8aff-b301b3bfebe8

  • user_agent

    Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

Signatures

  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Blocklisted process makes network request 26 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 31 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce.dll
    1⤵
    • Drops file in Windows directory
    PID:2160
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {975B5237-C4CF-47BF-964C-CF2F575F5A44} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\ProgramData\RtlUpd\RtlUpd.dll",Start /p
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2768

Network

    No results found
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     80 B
     3
    2
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     80 B
     3
    2
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     80 B
     3
    2
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.49.69.41:80
    rundll32.exe
    152 B
     120 B
     3
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\RtlUpd\RtlUpd.dll
    Filesize

    141KB

    MD5

    2492aca399dfaf75e761586844734980

    SHA1

    c7d147e588fe5ec6101bf69ec0dbc5d2252fbad6

    SHA256

    0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce

    SHA512

    1ce1a434b2cc5498b5547720d4eaf14a907b359492a1694847bb3119ca4b0b6ba8bfad02e2a39c71111aacd637db224a6b44c77c7469d19b9cbea4deab4b15fd

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.