warmcookie | b2b67092d3978b0a199c949591bb1872cbc49b91494726a513be407abc2ca6a9

Analysis

max time kernel
895s
max time network
889s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rad59AD5.dll
Size

53KB
MD5

1a28984d6db3abdb967c0c19b56f887d
SHA1

b815a93dedd5575a77b5fa9c0d77a9bc783cdb27
SHA256

b2b67092d3978b0a199c949591bb1872cbc49b91494726a513be407abc2ca6a9
SHA512

63e255c48e9c36485e6e7bc31319fd407027829713cef93dd61edf132949ce3c2de741a70f6ba90347e3d0aa7112acc95b71a7405711eab925f5a491cd5d513f
SSDEEP

768:g9QHl5zJLsXpwnPA9KYMGZC7SNichPH/kGFyHxr6a6GPxxoqMo5ydqP+qL3i3:g2dJn7dSfjof2Jo5PM

Score

10^/10

warmcookie backdoor

Malware Config

Extracted

Family

warmcookie

149.248.58.85

Attributes

mutex
3e4d7a5b-aa72-4d5f-8f8c-b292257af55c
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

Warmcookie family
warmcookie
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
backdoor warmcookie

Blocklisted process makes network request 13 IoCs

flow	pid	Process
31	1680	rundll32.exe
44	1680	rundll32.exe
45	1680	rundll32.exe
46	1680	rundll32.exe
53	1680	rundll32.exe
54	1680	rundll32.exe
56	1680	rundll32.exe
57	1680	rundll32.exe
58	1680	rundll32.exe
59	1680	rundll32.exe
60	1680	rundll32.exe
61	1680	rundll32.exe
62	1680	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\SoftServe.job	regsvr32.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\rad59AD5.dll
1⤵
- Drops file in Windows directory
PID:4752

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\ProgramData\SoftServe\Updater.dll",Start /u
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftServe\Updater.dll

Filesize
53KB

MD5
1a28984d6db3abdb967c0c19b56f887d

SHA1
b815a93dedd5575a77b5fa9c0d77a9bc783cdb27

SHA256
b2b67092d3978b0a199c949591bb1872cbc49b91494726a513be407abc2ca6a9

SHA512
63e255c48e9c36485e6e7bc31319fd407027829713cef93dd61edf132949ce3c2de741a70f6ba90347e3d0aa7112acc95b71a7405711eab925f5a491cd5d513f

Download Submit
memory/1680-5-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download
memory/4752-0-0x0000000068B80000-0x0000000068B97000-memory.dmp

Filesize
92KB

Download