e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02

General

Target

e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
Size

1.3MB
MD5

32d0765247b4d97708d4fb9ddfcbbb81
SHA1

51563a1f00966f6438f45afe826a541ae1f4c3e4
SHA256

e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02
SHA512

052e922dfb36fcd473678fa6ea49a3b245b18954180a0724c98472fa4881cecc35dd97b7414bd2b2ae03b62e617e1d871f996e620c7731b37b5e9411dbf8b7b2
SSDEEP

24576:kVDQZ9UCFn086XBwKYQ5rub3tjvqE87rrGAByq7NRqk5I7LSEdw1:ODQZ9PF03XBwKIbtw9Byq7395IPs

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5040	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1048-133-0x0000000000200000-0x0000000000451000-memory.dmp	upx
behavioral2/files/0x0006000000022e32-137.dat	upx
behavioral2/memory/5040-139-0x0000000000A90000-0x0000000000CE1000-memory.dmp	upx
behavioral2/memory/1500-140-0x0000000000200000-0x0000000000451000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
1500	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
5040	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Opera	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1500	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	27
PID 1048 wrote to memory of 1500	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	27
PID 1048 wrote to memory of 1500	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	27
PID 1048 wrote to memory of 5040	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	35
PID 1048 wrote to memory of 5040	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	35
PID 1048 wrote to memory of 5040	1048	e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe	35

C:\Users\Admin\AppData\Local\Temp\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
"C:\Users\Admin\AppData\Local\Temp\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
  "C:\Users\Admin\AppData\Local\Temp\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe" --crash-reporter-parent-id=1048
  2⤵
  - Loads dropped DLL
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\Opera Installer\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe
  "C:\Users\Admin\AppData\Local\Temp\Opera Installer\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Opera Installer\e33788fefb080c2dca7d9ea6f7b77777203b89c4a1fa82f7309987c4d52bba02.exe

Filesize
52KB

MD5
9c8f2f19b9b8466301126d8ac72782b2

SHA1
8d63d3918e893375638305a55e918a4a0d8cfe8a

SHA256
843d48f091d3e198def411a6fe2ab3cb2999ce409cbe10e3a5ba52382f3475b0

SHA512
5d9f488a5f8bb6178a111f50c0e8517ca2a59d39af8a0c0e1073f73239337509040859c26ce1334e77d017aee56f0ebebf98c3e4d00e94b6f7dd1b36506e7617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_220930052338013.dll

Filesize
38KB

MD5
3205d01c980b17e3f67e1286f2d680df

SHA1
70d173fe659f599de63b510ec35d5bbffbcfbe7b

SHA256
cb7f6474e63307b4ab20918b4ca5adc1a4c27d2bb86f51277213ab089b56b336

SHA512
8552a906ad799928de416ea5b686f3df14684fd2c454e1d699956ddab41087b6d5aaa0898bedd3f2ca279baa4809a9a90c01656c19ba0a60a61d00415d8a076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_220930052338357.dll

Filesize
39KB

MD5
919c80457c537a44bcda5d07cafcb604

SHA1
69883672b3c852d1483d3b3601e8e2e0d2c10c6a

SHA256
fe4a51dce4548eed452f67faba9446f613dc577980d10b8ef4ae688247710232

SHA512
1afdf5f3dd3c79d1b6bf10a99950dd9caa4eb3283d6d038c806bf9a92b7661661420444e291d5ba4e2823d0642be297c7d29ed9b7b613f440e322728c39a5804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_220930052338795.dll

Filesize
41KB

MD5
cc6a006ac3ac3c5fc29499f4b40fba36

SHA1
4be5af3a60a118724944e9a56ff669164cafbbc8

SHA256
fa3df8b61456e52c36830e84a4f42de885357897a42fd69b225cb65ac7ffc5bf

SHA512
4e2d3331e67808447d635d2fa60c5e96535f4128994d1f094a908ac729ea32bb7d5e837c62cdc4fceb1b7bf3f3da822eb247c3e5ae21ac8b1f7b37f7bd925ad1

Download Submit
memory/1048-133-0x0000000000200000-0x0000000000451000-memory.dmp

Filesize
2.3MB

Download
memory/1500-140-0x0000000000200000-0x0000000000451000-memory.dmp

Filesize
2.3MB

Download
memory/5040-139-0x0000000000A90000-0x0000000000CE1000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing