warmcookie | 74d605f499761efb73eb2e3b38b54383bf3c80511984a9908ff8eee23dc66f78

Analysis

max time kernel
154s
max time network
281s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/01/2025, 12:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenAL/x64/openal32.dll
Size

407KB
MD5

2b5a427b85eea53675484405af5010e0
SHA1

19201c0fb48ed20effd74de7989c2fa45326e35e
SHA256

f42706c862bc3d66550eb0a929bd5cb195c7a1f6a181cc854d59fc124d771023
SHA512

f1793a8d9402da2d23e14046ca2618bdb5fc0dd8986880f07d54df8fd3b23359de9d9b515f53b072a1d843b492d000ac5f2716ceb01f3f9d694e1aa8c4cf10d3
SSDEEP

6144:ipdaQesGCdaTNOznuivPI6YXaZGQTH0PBXWSD1y/X4uI+D:wTesGgaTNO6ivPjKaZG4X4uI+D

Score

10^/10

warmcookie backdoor

Malware Config

Extracted

Family

warmcookie

Signatures

Warmcookie family
warmcookie
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\OpenAL\x64\openal32.dll,#1
1⤵
PID:4184

Network

DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

8.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.153.16.2.in-addr.arpa

IN PTR

Response

8.153.16.2.in-addr.arpa

IN PTR

a2-16-153-8deploystaticakamaitechnologiescom
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

IN A

20.103.156.88
GET

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=04A04B82AA4E46498D5B1B435AD807A2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929130&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A27B846CF-205D-BC95-57D8-4BE6ACEB2900&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204360&lo=37271&tsu=37271

Remote address:

20.103.156.88:443

Request

GET /v4/api/selection?&asid=04A04B82AA4E46498D5B1B435AD807A2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929130&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A27B846CF-205D-BC95-57D8-4BE6ACEB2900&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204360&lo=37271&tsu=37271 HTTP/2.0
host: fd.api.iris.microsoft.com
accept-encoding: gzip, deflate
x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAUl0UWqhQ6tRQmPOFVFxw0veUpxJLXWIluFutYr0Zle8htyZIIdazCbKkNwklyqsXOL5jFO53vaBzilWynygSyezhdm+Pxu0UfGGaOY7xr+Ns2NswNyI1YdiWB5ms/eHWi18ahdQsJBX26Yq0yh2f2RTcbLWRDwErNzSioP2hiRWkO8OCs2PthqXT7HVZcYJy7jRLu+kJvDVlSIrrkqjTnL4iPwHrj/SUWI5r8lRsENainLq3gPVAaZKdKFCuJLJwmDsICn3vuZddBiwInmNHQiqpYK7Co4LauOHj0sb1OXN1W7oE9LPV5pBTfVCmnMlcVvGozP2IdgoiUSmuyYd7ZMQZgAAEPK+Uj6WYbHM8+zkFPNmVnmwAW8hFN74C73UqoJXc15pfmqMLI23R9wdeoF0NbqbBkgY5yN8XlrLWwwTZGgm3RV/iH7NujzIolG7eR+zPrDWMZPN1BEsCjc0iUXiASRCNYKtFGGrnu7sQ8tA28XWFArq0wvDiAynYAx50KTRf8nk4DBVK8qbJflX3pVBv046QYV9QbBypUfkxbvqJuMs1htYrPeyznSF72I4dmVJaPPry0A5lq9eNZDQmpLj/r+6RER73I6QcmHmLVvjTCGiQmP4o1QUD5Ur/sGSVqL1mGWjDutTBQFIEmNo4+RKbtPHe0XB4qprCRCbNVLi9i8okW4myyy5NSAWhLT0PhOypG5TJmcJH/jR2mnHWq9an0owv2BvpfjBTqtlxGtd/s8imVV9gQVtck9RJjPz9/Qg/KBCiKCf7Y1HPsfIqhXldx9GDq1Se3Dr4ijTilKBavSu+DZb9Ps2h18vPI4GN9IbS15pFP6bN4GLEMi20XFWpFEQdnCTGi5/OI3VW5wUNDZZIGY06Ij5aQICaQAr2gapAE1h8JasFcX8P5XBSE4oCWJdfKae/Mak3xT1RAqQTh7bQf1LgNoB&p=

Response

HTTP/2.0 200

cache-control: no-store, no-cache
pragma: no-cache
content-length: 131
content-type: application/json; charset=utf-8
expires: Mon, 01 Jan 0001 00:00:00 GMT
server: Microsoft-IIS/10.0
arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
strict-transport-security: max-age=31536000; includeSubDomains
date: Mon, 06 Jan 2025 12:11:19 GMT
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

15.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.173.189.20.in-addr.arpa

IN PTR

Response

20.103.156.88:443

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=04A04B82AA4E46498D5B1B435AD807A2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929130&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A27B846CF-205D-BC95-57D8-4BE6ACEB2900&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204360&lo=37271&tsu=37271

tls, http2

2.7kB
7.4kB
18
12

HTTP Request

GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=04A04B82AA4E46498D5B1B435AD807A2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929130&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A27B846CF-205D-BC95-57D8-4BE6ACEB2900&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204360&lo=37271&tsu=37271

HTTP Response

200

8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

8.153.16.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

8.153.16.2.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

fd.api.iris.microsoft.com

dns

71 B
196 B
1
1

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.103.156.88
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

15.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

15.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4184-0-0x000000006B600000-0x000000006B65D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.