be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549

General

Target

Delta V3.61 b_46956732.exe
Size

9.5MB
MD5

93d16508432c3ff3512eb9de584f48e6
SHA1

6ed9fd4d190afc6c5154730d85cf883fd3ad4d2e
SHA256

be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549
SHA512

08ad71f9b6b3a65cb22b6a65c8e44d4e004de2d10683dd89a8eac5af67127b126db301ca55e00740e7342c2896cf4b7178257e9d4e446a03db13e122c4116338
SSDEEP

196608:MulB4qN8C0lgVk2rqNemQ3bKfIiaNPFHNRsiK:jee87gbrqNeL3bIIiEHMn

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup46956732.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup46956732.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
5080	setup46956732.exe

Loads dropped DLL 39 IoCs

pid	Process
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Opera GXStable	Delta V3.61 b_46956732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Delta V3.61 b_46956732.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe
5080	setup46956732.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	setup46956732.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3492	Delta V3.61 b_46956732.exe
3492	Delta V3.61 b_46956732.exe
5080	setup46956732.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 5080	3492	Delta V3.61 b_46956732.exe	74
PID 3492 wrote to memory of 5080	3492	Delta V3.61 b_46956732.exe	74
PID 3492 wrote to memory of 5080	3492	Delta V3.61 b_46956732.exe	74

C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_46956732.exe
"C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_46956732.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\setup46956732.exe
  C:\Users\Admin\AppData\Local\setup46956732.exe hhwnd=458814 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-KA1rz
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.6MB

MD5
2af3b73289222f53daf512d4fb3a55be

SHA1
d2fa2d364f9e00988910075cd146cea7c2ec9801

SHA256
4ac54c921cd71a01c199d9b2785712d2af30f13214bbbeed5baa75f9ac0a21ac

SHA512
6440b1e8036f9a71f1444ffd4cb82d88eef94b98a139170c10d0abee38b5c657c9fee14a14c90569017845d25281dd97bcc6a11980096a76e77b95f20be7fdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.1MB

MD5
146c221743720d8f725490472edf4aea

SHA1
0e3ae82d97f3aea6152de616bc6e3a8bdefbb92c

SHA256
99a5a3e811a9d6162cf3e7974b0cf038afb03df87c1052292378cd9299ad0b21

SHA512
5db926af7d29370cfe281b6d7ff133f0e4f62a9cd2fadfc39f5c12a2137b391c464d5840bd24fd1610ed93505b8bdf7519ae4f8e3c9bfd4a9ce0bcada69a5a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.1MB

MD5
bf5f25e1d9089b4d22b5a17cbe85abd8

SHA1
e384b185310b17394f3dc6260d7ee24a41d09795

SHA256
5d156ebeef94d94ee092c34f07507ff828e46ff20d67449680b834baabeea76a

SHA512
9d51554575cb294eb00746aabe85b6e2f6306dee683845295dfbe7ddd646b3f59ec51e20ffa403d14d991cc90bff99aa2baa773d7febf18dae448ce0c88082bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/5080-172-0x0000000006FB0000-0x0000000007304000-memory.dmp

Filesize
3.3MB

Download
memory/5080-178-0x00000000074A0000-0x00000000074AC000-memory.dmp

Filesize
48KB

Download
memory/5080-94-0x0000000005DC0000-0x0000000005DE4000-memory.dmp

Filesize
144KB

Download
memory/5080-86-0x0000000005D10000-0x0000000005D2A000-memory.dmp

Filesize
104KB

Download
memory/5080-78-0x0000000005D50000-0x0000000005D82000-memory.dmp

Filesize
200KB

Download
memory/5080-62-0x0000000005C40000-0x0000000005C6E000-memory.dmp

Filesize
184KB

Download
memory/5080-54-0x0000000005C10000-0x0000000005C38000-memory.dmp

Filesize
160KB

Download
memory/5080-165-0x0000000006BC0000-0x0000000006C4C000-memory.dmp

Filesize
560KB

Download
memory/5080-171-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/5080-110-0x0000000005E10000-0x0000000005E18000-memory.dmp

Filesize
32KB

Download
memory/5080-170-0x00000000061C0000-0x00000000061CA000-memory.dmp

Filesize
40KB

Download
memory/5080-118-0x0000000005E60000-0x0000000005E8C000-memory.dmp

Filesize
176KB

Download
memory/5080-181-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/5080-102-0x0000000005D40000-0x0000000005D4A000-memory.dmp

Filesize
40KB

Download
memory/5080-144-0x00000000064D0000-0x00000000064E2000-memory.dmp

Filesize
72KB

Download
memory/5080-128-0x0000000005DF0000-0x0000000005E0D000-memory.dmp

Filesize
116KB

Download
memory/5080-203-0x0000000007700000-0x0000000007792000-memory.dmp

Filesize
584KB

Download
memory/5080-187-0x00000000085F0000-0x0000000008BA4000-memory.dmp

Filesize
5.7MB

Download
memory/5080-46-0x0000000005BE0000-0x0000000005C04000-memory.dmp

Filesize
144KB

Download
memory/5080-70-0x0000000005CA0000-0x0000000005CC8000-memory.dmp

Filesize
160KB

Download
memory/5080-38-0x0000000005B10000-0x0000000005B24000-memory.dmp

Filesize
80KB

Download
memory/5080-26-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/5080-17-0x0000000000E40000-0x0000000001218000-memory.dmp

Filesize
3.8MB

Download
memory/5080-18-0x0000000071BD0000-0x0000000072380000-memory.dmp

Filesize
7.7MB

Download
memory/5080-242-0x0000000007440000-0x000000000746E000-memory.dmp

Filesize
184KB

Download
memory/5080-266-0x0000000071BD0000-0x0000000072380000-memory.dmp

Filesize
7.7MB

Download
memory/5080-268-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing