aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe
Size

22KB
MD5

cd1cb74863676e245a88e21f27b8cacb
SHA1

d1d68db11c91be98a41878e2490abe58fbe0948f
SHA256

aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808
SHA512

050996dc4f51f3aac28aff68af544c58494c03cd457fa5d658588b703554eeffc288a876d8f1e74d6cc8275c7055a1e670f4f462054ec1c3a25b4b0b7a37350a
SSDEEP

384:uiChr3rmswfp6HKs8iyMbe1yTSOj1TStcWDHmGZOj:AGMK5/+4HOj1TStcIHfi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	opera_updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27
PID 1476 wrote to memory of 1992	1476	aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe	27

C:\Users\Admin\AppData\Local\Temp\aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe
"C:\Users\Admin\AppData\Local\Temp\aeb79dfe84b0ab733f19e7c62f0821f8e090bf0e8008fb56f761cc943f7b6808.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\opera_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\opera_updater.exe"
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opera_updater.exe

Filesize
22KB

MD5
7028d66c642ee0adb67a4dcf006587ea

SHA1
9452dae3f8c80d541faeee58df63c23aae8bed9d

SHA256
9f835651257e8626d4c61d4f2f97c3d4cd0b85edfb04f6e3c190543105318315

SHA512
d4301296f7658fb039e43be290a8b0f7a4bdabec555ea739d658afbecb0f076c68e8874c31388f6b73c17a1f3e55ad4dd5b8536e2b81cf437b6f39dd88aba5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera_updater.exe

Filesize
22KB

MD5
7028d66c642ee0adb67a4dcf006587ea

SHA1
9452dae3f8c80d541faeee58df63c23aae8bed9d

SHA256
9f835651257e8626d4c61d4f2f97c3d4cd0b85edfb04f6e3c190543105318315

SHA512
d4301296f7658fb039e43be290a8b0f7a4bdabec555ea739d658afbecb0f076c68e8874c31388f6b73c17a1f3e55ad4dd5b8536e2b81cf437b6f39dd88aba5c1

Download Submit
\Users\Admin\AppData\Local\Temp\opera_updater.exe

Filesize
22KB

MD5
7028d66c642ee0adb67a4dcf006587ea

SHA1
9452dae3f8c80d541faeee58df63c23aae8bed9d

SHA256
9f835651257e8626d4c61d4f2f97c3d4cd0b85edfb04f6e3c190543105318315

SHA512
d4301296f7658fb039e43be290a8b0f7a4bdabec555ea739d658afbecb0f076c68e8874c31388f6b73c17a1f3e55ad4dd5b8536e2b81cf437b6f39dd88aba5c1

Download Submit
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1992-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download