warmcookie | c4e9ccca525c21d719b3ee8547e84934942d1d18cd96374eb61c2e99cdd7f103

Analysis

max time kernel
1196s
max time network
1197s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.bat
Size

61B
MD5

71fc33d2c87facdfbb2499300fc2bedd
SHA1

40ab3ac01282ce3c4df44afc5e73c6d7a7502430
SHA256

2f36e33a436d6f565230ba1dafc9dea801599d47a9ff3fbb940a200f43d8b3ae
SHA512

588b393c79c7ca748f4b4cc8fbffd7d221956bfcf9e8c4b73a0fd6d84527ecad050c5a9312fb608fc1cf276fb0149777a8d551b64af0869680beb17ff0670f2d

Score

10^/10

warmcookie backdoor

Malware Config

Extracted

Family

warmcookie

Attributes

mutex
65abfc80-a660-4691-a919-130dc9b75b98

Signatures

Warmcookie family
warmcookie
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

Blocklisted process makes network request 64 IoCs

flow	pid	Process
35	2800	rundll32.exe
37	2800	rundll32.exe
38	2800	rundll32.exe
39	2800	rundll32.exe
40	2800	rundll32.exe
41	2800	rundll32.exe
44	2800	rundll32.exe
45	2800	rundll32.exe
46	2800	rundll32.exe
47	2800	rundll32.exe
48	2800	rundll32.exe
49	2800	rundll32.exe
50	2800	rundll32.exe
51	2800	rundll32.exe
52	2800	rundll32.exe
53	2800	rundll32.exe
54	2800	rundll32.exe
55	2800	rundll32.exe
60	2800	rundll32.exe
61	2800	rundll32.exe
62	2800	rundll32.exe
64	2800	rundll32.exe
65	2800	rundll32.exe
66	2800	rundll32.exe
67	2800	rundll32.exe
68	2800	rundll32.exe
69	2800	rundll32.exe
70	2800	rundll32.exe
71	2800	rundll32.exe
72	2800	rundll32.exe
73	2800	rundll32.exe
74	2800	rundll32.exe
75	2800	rundll32.exe
76	2800	rundll32.exe
77	2800	rundll32.exe
78	2800	rundll32.exe
79	2800	rundll32.exe
80	2800	rundll32.exe
81	2800	rundll32.exe
82	2800	rundll32.exe
83	2800	rundll32.exe
84	2800	rundll32.exe
88	2800	rundll32.exe
89	2800	rundll32.exe
90	2800	rundll32.exe
91	2800	rundll32.exe
92	2800	rundll32.exe
93	2800	rundll32.exe
94	2800	rundll32.exe
95	2800	rundll32.exe
96	2800	rundll32.exe
97	2800	rundll32.exe
98	2800	rundll32.exe
99	2800	rundll32.exe
100	2800	rundll32.exe
101	2800	rundll32.exe
102	2800	rundll32.exe
103	2800	rundll32.exe
104	2800	rundll32.exe
105	2800	rundll32.exe
106	2800	rundll32.exe
107	2800	rundll32.exe
108	2800	rundll32.exe
109	2800	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2800	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Vectorform.job	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4536	2820	cmd.exe	85
PID 2820 wrote to memory of 4536	2820	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\rundll32.exe
  rundll32.exe Updater.dll,Start
  2⤵
  - Drops file in Windows directory
  PID:4536

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\Vectorform\Updater.dll",Start /u
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Vectorform\Updater.dll

Filesize
129KB

MD5
e08edc1510052adc297d6af47022a70b

SHA1
f08af6d4a2f9655beb8219aca5711400efed8670

SHA256
915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2

SHA512
2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652

Download Submit