warmcookie | 371cf9bcf9a3d7b11d5ac386bef9450beac8c66a546fea1ca9cf629cdb751825 | Triage

Analysis

max time kernel
1798s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22/08/2024, 15:26

Sharing

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

88B
MD5

2ee06c41fd75f8fabd7453d3e1240a49
SHA1

02b77c02c6c55b6f40ffc409860c66fda803f39f
SHA256

68082405a1e0bdf0a6109a0a22f93677bb25b2aba804c77f2536a8090cf1e0d0
SHA512

354f4fb40ce5248a68ae8a6dfdabe9476970841de22b875788f8b8ec12b529bd702d18ca9f3a1e13412c68f67a3d7326b2c37fdfa5b63ceffbb3ea85682c204c

Score

10^/10

warmcookie backdoor

Malware Config

Extracted

Family

warmcookie

C2

72.5.43.29

Attributes

mutex
a208f030-25f9-4f41-8b57-6b0b7ecccf29
user_agent
Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)

Signatures

Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

Blocklisted process makes network request 28 IoCs

flow	pid	Process
1	2100	rundll32.exe
3	2100	rundll32.exe
5	2100	rundll32.exe
6	2100	rundll32.exe
7	2100	rundll32.exe
13	2100	rundll32.exe
16	2100	rundll32.exe
18	2100	rundll32.exe
19	2100	rundll32.exe
20	2100	rundll32.exe
21	2100	rundll32.exe
22	2100	rundll32.exe
23	2100	rundll32.exe
24	2100	rundll32.exe
25	2100	rundll32.exe
26	2100	rundll32.exe
27	2100	rundll32.exe
28	2100	rundll32.exe
29	2100	rundll32.exe
30	2100	rundll32.exe
31	2100	rundll32.exe
32	2100	rundll32.exe
52	2100	rundll32.exe
55	2100	rundll32.exe
56	2100	rundll32.exe
57	2100	rundll32.exe
58	2100	rundll32.exe
59	2100	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Touchtap.job	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3476	4880	cmd.exe	82
PID 4880 wrote to memory of 3476	4880	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\system32\rundll32.exe
  rundll32.exe f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll, Start
  2⤵
  - Drops file in Windows directory
  PID:3476

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\Touchtap\Updater.dll",Start /u
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Touchtap\Updater.dll

Filesize
155KB

MD5
7a799f4f9aa63745a75b901a392aff29

SHA1
b9983463f637191ba12c2270ac52a547676a7037

SHA256
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659

SHA512
e9eeb340dd620256d543ab43d08ccc23b555afa332c744c629fd8f40760f20a24e234955fc8d2e78a150f09028ca7a11650e0da157fff64833f13ce89a208c23

Download Submit