f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40

Analysis

max time kernel
153s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
Size

2.6MB
MD5

48dd2f342809c4b3fefae60aae2d2b00
SHA1

b353a99ebe62291ecedda811cad6d10a81b117a0
SHA256

f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40
SHA512

3a26705326bfe4b91cf5da9250b56f48e30c75a5a0701695bcb715fd2d7814f8827b8b955ac6893c124e187afb049a65bc4f0972864df4dee66f4dcd925ec776
SSDEEP

49152:LJ33Y9YXyyUVYyCa0iNyXmAZ4z56BrWV8AZmG27DPHE8eAZzmLQyzGR/yQ41XAus:l0YXyy9WGX496BNAAG27DvE8e08zGNyg

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4352	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
1540	Assistant_106.0.4998.16_Setup.exe_sfx.exe
628	assistant_installer.exe
2624	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
4964	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
4352	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
628	assistant_installer.exe
628	assistant_installer.exe
2624	assistant_installer.exe
2624	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4952-0-0x0000000000450000-0x0000000000938000-memory.dmp	upx
behavioral2/memory/4964-5-0x0000000000450000-0x0000000000938000-memory.dmp	upx
behavioral2/files/0x0006000000023223-12.dat	upx
behavioral2/memory/4352-15-0x00000000009A0000-0x0000000000E88000-memory.dmp	upx
behavioral2/memory/4352-18-0x00000000009A0000-0x0000000000E88000-memory.dmp	upx
behavioral2/memory/4952-36-0x0000000000450000-0x0000000000938000-memory.dmp	upx
behavioral2/memory/4964-37-0x0000000000450000-0x0000000000938000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
File opened (read-only)	\??\F:	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4964	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	90
PID 4952 wrote to memory of 4964	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	90
PID 4952 wrote to memory of 4964	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	90
PID 4952 wrote to memory of 4352	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	91
PID 4952 wrote to memory of 4352	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	91
PID 4952 wrote to memory of 4352	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	91
PID 4952 wrote to memory of 1540	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	104
PID 4952 wrote to memory of 1540	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	104
PID 4952 wrote to memory of 1540	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	104
PID 4952 wrote to memory of 628	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	105
PID 4952 wrote to memory of 628	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	105
PID 4952 wrote to memory of 628	4952	f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe	105
PID 628 wrote to memory of 2624	628	assistant_installer.exe	106
PID 628 wrote to memory of 2624	628	assistant_installer.exe	106
PID 628 wrote to memory of 2624	628	assistant_installer.exe	106

C:\Users\Admin\AppData\Local\Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
"C:\Users\Admin\AppData\Local\Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
  C:\Users\Admin\AppData\Local\Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.19 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x75399530,0x7539953c,0x75399548
  2⤵
  - Loads dropped DLL
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x6e2614,0x6e2620,0x6e262c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\f20ed60f14ba73f4564a302e37baedc7bc6180021a0067298061344ca2cb5b40.exe

Filesize
376KB

MD5
8fc1f7d7a79a4ee013ee9e77975a8288

SHA1
3852166afe3134c38d933ef850856b1192289c4e

SHA256
e6769404d86c5b94097cb8c049a091cafa09876dc83e3bcaf3073ab4312892c2

SHA512
b3cce67efb46e061f4d59c5f9fee7fe4f6e091a79b37c6b4a7eed1c5a245b39d5d29393f38dc5f382fdf7e16d9871a56ee2c019800ce44cf593f33cd2bafc2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
1.1MB

MD5
82aaf6b086c1a727a26b795de3eb4359

SHA1
5f8fff2db8c4f6991e9287f04eb39988f5b4a576

SHA256
8a13509cb54c3d8a8bdac074f49cfef65d3cb5614804043aaa0e399183ae24b6

SHA512
4779d26f8e330a51fd7ceaf8d465a6d9c31ac3b61479ef2980eb77f7f854058bfbd9757101c95192c252a089339a678e416b809db4145dab5615d42c0d78ebea

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
1.0MB

MD5
35d402f2ab65e6eada583da2329da209

SHA1
fba247d5ca9254f183c127f47d3d1f13c4fd34bb

SHA256
9fb4a64158006033e298c42969952c81697e5291f0384ebe156a08a9dcabdbd8

SHA512
8d3a07f1effcd5aa328b9d00898ed0266599ad018ab94932eac15eb786560b193f8a4f3a8a68e5c937f73e377c5610bf812c631563f32c3ed5e63dd1f289c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
915KB

MD5
db850564d76a7d2fb35c16cf2ce469ac

SHA1
d0ff34cb1bdd662517159b36ddfb11cabf41ff1f

SHA256
f2a60f41afe55ed862ce2360a9f0537545ebe68150eea1674e5521ab5822fd54

SHA512
0a100796954a7fbe12d8aa6fc9e875c4fa9d85eb9debe65f49a4806bea8456411754a2ae28ea63a3c2132bbea524eb23aef4534bd52ddc7a41f45c465bb333c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe

Filesize
498KB

MD5
4ac4c2118cb548044b87888c6b45f1af

SHA1
aff6a988f11731dcbff4052f91b00cdcd2f743cd

SHA256
33f50a360234938dcf374f4e79231a2351d2cbbb1303df1e31ee0eb11e0d4c0a

SHA512
48151355b0171fd04452326245a4fdd7af4069f42bece6ccd21810d6f88fbfeef44e8e4f57ad3560b0ccf169303699da9e143e9afbd1b15770fc2bb924a99b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\assistant_installer.exe

Filesize
256KB

MD5
a554b109d77388cbf5d26b7a9dc8af02

SHA1
7ead36cdbbde405da7279bca99bc910119d2db52

SHA256
1d2a750dc530844a40dc81a8037af853d5d17900c83447ac371e81e72ec10dce

SHA512
75d23d25973fcf205d1cce750aa4e488f8fd48998ebd605680dc5d4e96897ccd0d14edb1f690d2b62c3b000c07516dca529340c4e1d0b2c150ccdaf941362baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\dbgcore.dll

Filesize
166KB

MD5
a59b6c6d04bac536cc7fafe92f0d1bda

SHA1
6d5bbdfafbe2ea65e3aa9abc088e0fc6e20be8a1

SHA256
c2d92d6e9a3ea40f38d275499bef7ba899802f131160ce1a2f76314b87b531ac

SHA512
49e748676c54482f7de089fb6eaa45b5cb3e59a1b9125d90619371678749a0b80cf8ef8c7cf75c8486d20b89639a8b679c23a671a2c3b6dff1f86ea9cb1a7f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\dbghelp.dll

Filesize
448KB

MD5
bff083848451d3e2b08c979327cf3617

SHA1
18960b74bc4e983462c0ca3181199fe9ed52fba0

SHA256
ad69844b3c5834dd5235aa09e56ec3a1cc324e30f2924022c01976de5ce8443f

SHA512
f31c6458539da8a7eb1d5a3fcd5a13882f1cd0c545907fe2857e4997d579d53b78530e6f8f3f79297906a4237d29ad687c994267ce5f4b1d44756836092edf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\dbghelp.dll

Filesize
662KB

MD5
f7fa62d7d05d14c8947e2f697b2d79b0

SHA1
91017fb96f4b7f62291b42174d7ea3216e212e66

SHA256
1293670c8f7274370a376774fa4c5f61b72d30946937e3df97758c7b71b458f3

SHA512
c1106fa9f1bfb3106dc392adccf73675249c0173ee838f1d2f9487ead0dc4d924879bb37260af31ca72319cd2661a9bf222992be8d34fea1331281a0faa44dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\assistant\dbghelp.dll

Filesize
341KB

MD5
63d1af40f24cdb48816c4f91acacc1f2

SHA1
ef9be47566fadf7d0386129c337f34a27e8db722

SHA256
9d990977f1e1dcf43c25fd2f00fec7297a150d3fb08e08780b290aa5039fceb9

SHA512
0a50d15851fb9ad0fae4ff016a9d0c5546a42a74ef791f36602dae71018e4537e2e8445047d88ac61032dd18e94f638419c5245f7daa7598bdbefe60b5a449d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401011242401\opera_package

Filesize
9.2MB

MD5
ce9ef1e9910a6e9619ab1aecf4c066ba

SHA1
8a427fd3a22970449b1c057016aa98da36177082

SHA256
7066efb803a3c9b62659ee6e40a3d8237237017f5e89eae636473611b8b4be82

SHA512
e9e25bdacabf7ec1c2aaab62353260a32b5b219b19fede2f2b48677ad1c3dfe4aa425614a6abdd260241b3db734e8cc37ae316bb4e4246c76073153f3db7d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401011242395244952.dll

Filesize
49KB

MD5
055714d8ed23011acbd093d261fb0321

SHA1
1e960c6d844dc2f5d707ad13b7def57dbbeeb284

SHA256
69db7c706fb1a44f166f89d119b132251532d246e37cddd71a272523ae4764d3

SHA512
da0760c764b12a64eb1b8fbd09ab883b373a5f79f30b246af8b8985e8be69bbfa5fa237bfdb3b6b1c543dd7f1fca89284d2df022b0c72ed12821e8b125ddc752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401011242401804964.dll

Filesize
321KB

MD5
7eeccf7807f7d8e3328ba782a4ecf9e2

SHA1
8ce0a9eada0e05295b643543faccd6b33ddcb3e5

SHA256
c59888716bd568e7db61e54f34949ef759988c5d2488bab10c2a4e5f3f40f1be

SHA512
10f08d705a01a7a393c3d1de4e96f46f009d6d4438fe7fa088359e3e6d654d8341b7bd9515853d05643ffd1693fce0ac81157d5ec758fc60a69ce7da8f80c37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401011242404154352.dll

Filesize
281KB

MD5
1480330acd33801b361cee7d25251cd4

SHA1
1edff381cbf9c3da9287973df509406c489cd3c5

SHA256
a7f6190d4389a41de1dc8bcc7c2416e4790d59d333b6264198d546e4447533ab

SHA512
0579b635dfcc063d68d9b6fd998702fd53d920622e5c08431227a4128fa9e5da93da41532995f29efbf206520fa7e7a1e8a986fbc3777573b9846bc065e8bc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401011242404154352.dll

Filesize
476KB

MD5
a75bea56f20e3bc2dab6b16cc21a6633

SHA1
fb91463c8da80b8d0f805afc9a6ae60904e16721

SHA256
55e2b06a7bb098cec42368d926046cba8ece5bf70dbe0b531e2d1fc1bb7596b1

SHA512
131fe8422e4ce1a0ce451b15d7c0a756cce65e520a45b91ff2241034c8c468deea88848a78e1b849d02d9a22a4a6f54c69292a498d264895beed39ee41ecbffc

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
1d2b3d7a2ae0f107f30d85fae484c7de

SHA1
a754e1fd79d82b8803818aa4791c1e640f2cb774

SHA256
73d2e7f872215ee82c2aa413e47c6afa819e6e7a8b51ea6ded32dcfbbdd48e68

SHA512
44a4a04af73584db6cd93a3d4a308bdb065ff65dc115ab20f41f132cc531c44d2acbca61a38dde2ef7685f9ad079d2557611e5325df502fc980e7841df448755

Download Submit
memory/4352-18-0x00000000009A0000-0x0000000000E88000-memory.dmp

Filesize
4.9MB

Download
memory/4352-15-0x00000000009A0000-0x0000000000E88000-memory.dmp

Filesize
4.9MB

Download
memory/4952-36-0x0000000000450000-0x0000000000938000-memory.dmp

Filesize
4.9MB

Download
memory/4952-0-0x0000000000450000-0x0000000000938000-memory.dmp

Filesize
4.9MB

Download
memory/4964-37-0x0000000000450000-0x0000000000938000-memory.dmp

Filesize
4.9MB

Download
memory/4964-5-0x0000000000450000-0x0000000000938000-memory.dmp

Filesize
4.9MB

Download