Overview

overview

10

Static

static

10

08112024_0...er.dll

windows7-x64

10

08112024_0...er.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    299s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • submitted
    08/11/2024, 03:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08112024_0341_24102024_Updater.dll

  • Size

    129KB

  • MD5

    e08edc1510052adc297d6af47022a70b

  • SHA1

    f08af6d4a2f9655beb8219aca5711400efed8670

  • SHA256

    915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2

  • SHA512

    2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652

  • SSDEEP

    3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV

Score
10/10
warmcookiebackdoordiscovery

Malware Config

Extracted

Family

warmcookie

Attributes
  • mutex

    65abfc80-a660-4691-a919-130dc9b75b98

Signatures

  • Warmcookie family
    warmcookie
  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Blocklisted process makes network request 60 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08112024_0341_24102024_Updater.dll
    1⤵
    • Drops file in Windows directory
    PID:2676
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F42539AF-616E-477D-B4E7-BF03B400F8D8} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\ProgramData\Specbee\Updater.dll",Start /u
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:3060

Network

    No results found
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    152 B
     120 B
     3
    3
  • 185.161.251.26:443
    rundll32.exe
    104 B
     80 B
     2
    2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Specbee\Updater.dll
    Filesize

    129KB

    MD5

    e08edc1510052adc297d6af47022a70b

    SHA1

    f08af6d4a2f9655beb8219aca5711400efed8670

    SHA256

    915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2

    SHA512

    2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.