Overview

overview

10

Static

static

10

Updater.dll

windows7-x64

10

Updater.dll

windows10-2004-x64

10

launcher.bat

windows7-x64

10

launcher.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/11/2024, 14:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.bat

  • Size

    61B

  • MD5

    71fc33d2c87facdfbb2499300fc2bedd

  • SHA1

    40ab3ac01282ce3c4df44afc5e73c6d7a7502430

  • SHA256

    2f36e33a436d6f565230ba1dafc9dea801599d47a9ff3fbb940a200f43d8b3ae

  • SHA512

    588b393c79c7ca748f4b4cc8fbffd7d221956bfcf9e8c4b73a0fd6d84527ecad050c5a9312fb608fc1cf276fb0149777a8d551b64af0869680beb17ff0670f2d

Score
10/10
warmcookiebackdoor

Malware Config

Extracted

Family

warmcookie

Attributes
  • mutex

    65abfc80-a660-4691-a919-130dc9b75b98

Signatures

  • Warmcookie family
    warmcookie
  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\system32\rundll32.exe
      rundll32.exe Updater.dll,Start
      2⤵
      • Drops file in Windows directory
      PID:4832
  • C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\ProgramData\idooGROUP\Updater.dll",Start /u
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    PID:1280

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     160 B
     5
    4
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     200 B
     5
    5
  • 185.161.251.26:443
    rundll32.exe
    260 B
     120 B
     5
    3
  • 185.161.251.26:443
    rundll32.exe
    260 B
     40 B
     5
    1
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\idooGROUP\Updater.dll
    Filesize

    129KB

    MD5

    e08edc1510052adc297d6af47022a70b

    SHA1

    f08af6d4a2f9655beb8219aca5711400efed8670

    SHA256

    915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2

    SHA512

    2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.