c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339

General

Target

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
Size

19.5MB
MD5

6374c01ed81cea712fe61d0774521ac3
SHA1

6a2957d427b9ca85f58266564951e6e56da89566
SHA256

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339
SHA512

4a85f10a54a8721d09e2ba9171882c53b83bdb9c87ad3ec84877f7a34d6007b6d12cfe0d9a8b48d41ac9054a3d78781a4fd299def96ff0927917b4d5c4bcab83

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

10 1720 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmpopera.exe

pid process

876 c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
1560 opera.exe

flow	pid	process
10	1720	cmd.exe

pid	process
876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
1560	opera.exe

Loads dropped DLL 3 IoCs

Processes:

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exec183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmpopera.exe

pid	process
1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
1560	opera.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mountvol.exe

description ioc process

File opened (read-only) \??\P: mountvol.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

opera.exe

pid process

1560 opera.exe

description	ioc	process
File opened (read-only)	\??\P:	mountvol.exe

pid	process
1560	opera.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exec183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmpcmd.execmd.exeopera.exe

description	pid	process	target process
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 1240 wrote to memory of 1480	1240	cmd.exe	setx.exe
PID 1240 wrote to memory of 1480	1240	cmd.exe	setx.exe
PID 1240 wrote to memory of 1480	1240	cmd.exe	setx.exe
PID 1240 wrote to memory of 1480	1240	cmd.exe	setx.exe
PID 1048 wrote to memory of 1472	1048	cmd.exe	mountvol.exe
PID 1048 wrote to memory of 1472	1048	cmd.exe	mountvol.exe
PID 1048 wrote to memory of 1472	1048	cmd.exe	mountvol.exe
PID 1048 wrote to memory of 1472	1048	cmd.exe	mountvol.exe
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	cmd.exe
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	opera.exe
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	opera.exe
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	opera.exe
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	opera.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe
PID 1560 wrote to memory of 1720	1560	opera.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
"C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
"C:\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp" /SL5="$30158,19610817,831488,C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mountvol P: /D
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\mountvol.exe
mountvol P: /D
4⤵
- Enumerates connected drives
PID:1472

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\setx.exe
setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp"
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" remove "ROOT\bareflank""
3⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\bfbuilder.inf" "ROOT\bfbuilder""
3⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" remove "ROOT\bfbuilder""
3⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\bareflank.inf" "ROOT\bareflank""
3⤵
PID:1592

C:\Users\Admin\AppData\Roaming\opera.exe
"C:\Users\Admin\AppData\Roaming\opera.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Roaming\DUI70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
C:\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
C:\Users\Admin\AppData\Roaming\u.txt
MD5
a357bfa782c0384a4f69fb0d329b364b

SHA1
bbf5251b3bf1974c6850cb47fa6feb4c59e0141d

SHA256
5686e45ed19be9357b84d53e4b129733efbfeeecf7306823a739127993cc487e

SHA512
6a40384feafb7288667831c3a54fb7d04c9cf235fb087737d02eba712576d942bd7fbba07e819909e34d5359a6d8bc1f5824442483047ab5f3ef6ddb1b47b155

Download Submit
C:\Users\Admin\AppData\Roaming\user.bin
MD5
0cccbe67a89513ec9072ae43ccf0ca36

SHA1
f32eba60b3f60388c38f819fd47a6b4327f98592

SHA256
0160889c87cb5bef893a2d0fd1a1ae22ee09610cf05e1f488e9ed390660ec9d5

SHA512
4f3cf7b5b5c87ad74db0381b9bc1a90d67235cf7d85ba82acc2d032ea5995351414c961268502a5518baf37e0ae2a14af4e5f2ef493caa8ef0a06e0811a7d62e

Download Submit
\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
\Users\Admin\AppData\Roaming\dui70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/432-70-0x0000000000000000-mapping.dmp

Download
memory/740-71-0x0000000000000000-mapping.dmp

Download
memory/876-62-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/876-59-0x0000000000000000-mapping.dmp

Download
memory/924-68-0x0000000000000000-mapping.dmp

Download
memory/1048-63-0x0000000000000000-mapping.dmp

Download
memory/1240-65-0x0000000000000000-mapping.dmp

Download
memory/1336-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1336-57-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1472-67-0x0000000000000000-mapping.dmp

Download
memory/1480-66-0x0000000000000000-mapping.dmp

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download
memory/1560-79-0x0000000000521000-0x000000000052B000-memory.dmp

Filesize
40KB

Download
memory/1592-69-0x0000000000000000-mapping.dmp

Download
memory/1720-81-0x0000000000000000-mapping.dmp

Download
memory/1720-83-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1720-84-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing