Analysis
-
max time kernel
169s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
05-01-2024 20:49
General
-
Target
43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2.exe
-
Size
5.9MB
-
MD5
bb30c735a75e97bb900e50345c66f172
-
SHA1
c44b795b5f7494230751397ac6e6917f644b2281
-
SHA256
43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2
-
SHA512
b832ecdd4c9f0dc9be35bd95aae2978d32ba54ae64727f7ed40853b77f89b78385399eb2781fe9e0c197d7970d752d5ea907018c41ba9f9c0317a26564657dc6
-
SSDEEP
98304:9IslwENXkknpf11ZoHjIzGOV0mBfL2TzmyU023W:eRQdo0zGqep4W
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 25 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2.exe"C:\Users\Admin\AppData\Local\Temp\43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2.exeC:\Users\Admin\AppData\Local\Temp\43ddd445630ca31dd37a704f55d064350da97177dba40b63f6d65408a0daf9a2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=105.0.4970.63 --initial-client-data=0x2bc,0x2c8,0x2d0,0x2cc,0x2d4,0x1405320a0,0x1405320b0,0x1405320c02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD569b198938f2e82ed90a460123e395120
SHA17e6e36f7a58e08ef3f954b9229a4051c44e1abc5
SHA2567e87bdbb041f935e39e448112d2fe2e18882d4b4ef030fc33af340f5cf2fa388
SHA51226f65e6c322698b5d12f2d8c505db4188b5f73ef9b3350344cefff0258e76c11a4f76d439129759bc3b2a4e6f31770c0601e927d6c3223bf92fba438e4eb76fd
-
Filesize
781KB
MD502b4fb024e34b4176f685652d242b00b
SHA13a42ae54bc79698428f51a014c289c4b7e022312
SHA25675fb6d054a7349d61cb32b1e177e1d698fef80eace0a4410daab60c89240cab6
SHA5125ac31edb4c71fd50667bae243c0b1692605119376a4229a2e925a414103ef5b64195473f70ebe4c01d5fdecf129669bd27e813ccc9f169ebe290c41c558929b4
-
Filesize
805KB
MD57d22bdd004aa72a659538e66a4e50800
SHA12ed4f813f884c875343f2dd85efd985e3e010907
SHA256376f1cd9a423edb57f50012670305fd2fec6e1225667c2c877bec2e9353d51b0
SHA512ca9864b269d3f7b98af8407586ad747af371c8d0c7e5ea0465ab36369150516539996034ef824bebc314d60094bb8bea4a276f46175ee98ea114b577a011b0f0
-
Filesize
2.1MB
MD55347f584128386857a5667d2ba008ec4
SHA14ef5d184834497f0b2ec5982419e7c8e6ef3858b
SHA2568aad787e39876743d0b0b14f44066911a2e4504325067e521fdfa98de9c46d22
SHA512c2800cce27645486b9ea236652a09a578bc29c6d89f1cc99e8edf06a0b7c0e52866863a10e1a54ec17b2d60ce7012e15cbf1e73963e6b6976bbdac9aaa2d65be
-
Filesize
244B
MD523ecfba80591f1d29dedfcaa080f8a71
SHA107fc8e35a4f0da9ab12a47740269ab9bef33b40d
SHA256026bac760cf4c846ca01e8a9ecee947bd5a3c0f7d2334ab1eeb45041c5f78b4a
SHA5128adeab27d890b4a4246e00b07c32b87b9a43a125856f4ee4747c837fd100234b46f2225148db5690dfe79d3f832b2b00e29adfb50a475f7af5b8e74568cb0615
-
Filesize
12KB
MD55d858e893e54979b3c923fba7bdf4c28
SHA1a2d297aee25dbffc03ff8c4bb1c841dee403e6ed
SHA25681b8b02e3fa3a33fd5482c4c73bc982b19bc618bf94705590ca6e02fabdef30b
SHA5127cc1a29d621e5c4e6e9670522839ea426221e61042062f2e8646b16e81c2bd20df0f6bdba3a766b62306fb9f29f24b4629e2f308774e47e20d0efa1df8c15329
-
Filesize
588KB
MD5a8fec4c4e017e75e0a2e25be0b66d258
SHA1502ddcd94ccf3b52d4be2ac98651804ce9cb11d1
SHA256bb466663d555679a101d84036732c4011c46ca782cf98ed60b26d310f0d7e59b
SHA512266ced643bce2cea6890ee4caadcc569208e6faa92e91c9b8e24d4949cab388872b0a8b9a208cd727e8f3668a74e6bc0fac1c94c03359dd944cc3d79bda8b811
-
Filesize
1.7MB
MD528e36e12dff13e8d8bed241a6867c995
SHA17b150c1edd8fe57adfa39c2ad3c856620930d696
SHA256104ecec1e90a2b902492733ceb558917c8373a353654525af90e1a47d158d1f4
SHA512b400b1b874be0952f4d7a7f0f1be1ab54948bbdc38583b4bc01df37c6df0b1cc51f9aa5db51a8b05b8d0d2d0c0ade83968b7ff0081475c3cfdda2692f4101485
-
Filesize
659KB
MD590ebc49eb1c7f10b8103d7e81660858d
SHA17f193b8eec1c4072ea7358a518608de99031d322
SHA256f0a8446d9cf46d30e40f174e6030a88e77216f0b100ee2a14895d67f782b8a55
SHA512e1c3fb46a121405e22179d9f0f20590711cae2767d634309b8d982966eb1425229526fb55e7ce8addf170986e4a9c5d1cb1a61ae8ff044d22b1af50fb15843a9
-
Filesize
1.2MB
MD53d34fa5e0109853b308398660db757b5
SHA1b36a88f7d981f68849898b3c30c91436e70fe299
SHA256ae47bef0d45fc68de049194d88914afd09e8c0f3aa7d5ac8ea123f0387fb98e9
SHA512cdfb8e39a8bf711befa6b471a27ed8a6582cdcf08471bbe1b00c57d62ed20d5385c0ee68f42c22da4aa2d46ce61f32cee142e055343a0754e428d26ef4ba4ec0
-
Filesize
578KB
MD5d2ff993b43f6a44213b48acc373bbcf4
SHA18b617c786d1da233b498a149bf428efce58d35d2
SHA2563570b805682c1f1b735ce53cec81622f5fbd41deb6fef96899bbd54cf3fb688b
SHA51262b718ee68c6d54b028167c3030a83db505b89d5e869c290369a246b0b3b2810c8a0b9add29d2bc8b89c5a0bcdee9915eb99ce79bcd02055e87ec6fd2cd582f7
-
Filesize
940KB
MD56609a5a3479a209cabc8091ff68348b3
SHA190d39c4bdbdb0dca740367802f71f86562a60b66
SHA256ae4a6ad065651b1d90dc37fb393830e096b6338ef4d5da68c23d09ad205dea3f
SHA5127efd74c790961ba3e0d6fc20fe1297354ca4cd08b16a58b5af29405293f858842b0b9a726a5979062e1a07200e8a57ac7504725d6f5aeeb4d5c3f8a2c0e1941c
-
Filesize
671KB
MD5a76fe636e081c2d34086230221cdb1b2
SHA1992c69d7d43855cdc7ae38c1e29bd01ce6fddcbb
SHA25619cbffc7bfcfa32f9e985f46fe40f6c35b95c6d67fe5e40715646e381d834e52
SHA51292697460758e5d95322597f7a013c25e9de607240ba8ded63ed39d4a637cc9493477b5b6c62eab9b30fe3bb4a5928dfa6e6ff43f2abe3231f05985bb15f2b921
-
Filesize
1.4MB
MD53662731b9f7afaf9b0268ffdae0489db
SHA1b26bedca969161a045c856e8beae30ffe379d09d
SHA25670ccadc2d09ee584bc8bc5be58daa9ecc54d151dc65626e7aaed0a9b095925b1
SHA512fcc8f2bf31acfb325e0eabe6ca2f842940a3f4d8b63479d158df68cf4497e883cc9b4c48a157ad7329479ec0f4af3976ac053146b4492a75fd9e853f7fa5d672
-
Filesize
1.8MB
MD507862666e69eb52fbd6c200707eb454a
SHA11604b024a4d3ff88aa8ce0ac4aa232445321a9d8
SHA2569ba6386fc39a818a1917a86d1db40e4e4a39b2c42f4e509cd2111e3e63f8c473
SHA5122d645d11576621abc7cee9df5ee49c9b6e3659d6af409ee7fd4bcaca439f5c1d97abb60afc199eab5edc6103c5af62b5656b4f5a0261ffe24da5fd4ec61baaf9
-
Filesize
1.4MB
MD5fd685a4c03eb959dffcbca9993d3c736
SHA154d54712ba6fc2ed77ee3b3fe781f4a3e7e99ae0
SHA256b070a4b41f3a97e96978a3cd1ed8b5f31e6715aa045b98a932046a4c16051627
SHA51277b6fe0417a673eec57527c22c8a016fb658e39198d3c07f6eaba81f5f035245a75482be302b738d6e08d4ce66bf12f34053095dfd1da0d1d713acf95c080ecf
-
Filesize
885KB
MD5ef4df1a645a4ea74d6b51902d9378de8
SHA1092b5fca3fe1cba8617ef17174a5c02d79107847
SHA256c9af873537f85ba232cb9cb9c66052f68d3c4d87021895154e6d7b658eb566ea
SHA512e2e4bea7491c5c23250b83c750e832826708a375b62af0462a08d038df88de36d3277be08f06e4ba8f146c6a74c9446e11841127eb66e4278e425114e13e851e
-
Filesize
2.0MB
MD5e79c6e05cf5367e40c204547700277ca
SHA195e5785644886e948f9b92a4351657a3986697e4
SHA2564494f42b03c2d29d881841514e8048b145f4ad63fd4d94c0c8fb1f743f030389
SHA5126ada5601e88884066dc7cb02aac1a7360ebff53724bbc2e5026d84231c31f66ffb96cb56adfe7e830332c645a27786372326aebb249cb0316f5e234fc7f4ef23
-
Filesize
661KB
MD573e8a8e0d2129812f8425f64b9175cae
SHA10119eb7d719a351024a1032339061c12d012ca22
SHA2561973fbedf68dd1254348a75d9904feccf7c8ef105de94add05c334e47d7c8765
SHA5127453fd1d6d8b11ff6196e43252c62137bf8567491a0e3130ce3a53ec8f6b278c712f2e57c4ff462bf374d7b25caf2e852da5fecd9714a83d9b2ce6c4a758e4ef
-
Filesize
712KB
MD5cb0b52a268e34aa9a8d56e71ac8dac84
SHA1fdd28e80da7ea7e4f0b01f7f3ba98677cb0a55c5
SHA2562bd50c71a5080cbc8307f02c16408d8b4416797f6b0cf1c1a5783e301ba36dd0
SHA512516a682945470e6bf2d5920510ded4fc2b25bc2da8d8153ee194a9e97cc258f88598696ffd1a87d715796a8e29be4e611286e01b1c13c772dfafa4f9176b628c
-
Filesize
584KB
MD5e9a07b574236619cc52b87c486984252
SHA1988ac5cbb078d37260ecb854e7622903b57242d9
SHA256f6ad1a758b4e4583503dfad79df501d1bee801252b5c9d9437792e9cdcf686ce
SHA512b66bddd7a0d53dde2947930556f8dd46a2f64f8962d2f61bb0ae19a76674850128f371a9d3f8fba13a292dec772640c9541f773aaf25cbe6add75259ece225b0
-
Filesize
1.3MB
MD551ffdb812e2caf3cd4c6cd3d9d6d7a0b
SHA117a319d249e1782da07e28d5311c3bf09336721d
SHA25609fe84741d1c2fee29bc8fa9994d3f2f5ec7195ec45e73dba45300230ef46558
SHA5120335a519eca7adf83df526da938da1042f8ebe108b5f6896cc82698a41f6613f4b86f474a19fd2e5ae9b8d8eb231cce91e168e4fc983634d36b247d2ef13965f
-
Filesize
772KB
MD5cf4c3e3a2e9b9f74df103dfcfb7acb4a
SHA15603643878ec0b244ddf03f6e764218350b13785
SHA256a7be0413934d4c59b09065284b1336301d4b9ffcb0efe41bc4dc45e8896908e7
SHA5127bb546e6168eaeec05986ee6cd6a2274e8959d303015a3ae8f171669b75df79d9851dd13d6df49dc91c96038cf927115988a42b4f202667718314f61f85cacdf
-
Filesize
2.1MB
MD5ab65deaef23bb308944bcd4c5524eaed
SHA1d12be6fdfb2ec43df0b45b0e7cf7d3114c0e4b8b
SHA2564578613e820e30d2cdc1d78d9bec3ac10485a4d4a5f6d4bf7d4f3e1a6e01fd70
SHA512aee5e582a3cd2a6f064d53489a90704602a7df78974338731301c921aded03c8fb7287a1701f125897cfc08528ae68821d010645a77c2c1fc95ceb6d4b3624c9
-
Filesize
808KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
808KB
-
Filesize
384KB
-
Filesize
6.1MB
-
Filesize
384KB
-
Filesize
6.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
384KB
-
Filesize
740KB
-
Filesize
384KB
-
Filesize
740KB
-
Filesize
384KB
-
Filesize
676KB
-
Filesize
384KB
-
Filesize
676KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
792KB
-
Filesize
412KB
-
Filesize
604KB
-
Filesize
412KB
-
Filesize
604KB
-
Filesize
600KB
-
Filesize
384KB
-
Filesize
600KB
-
Filesize
384KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
1.3MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
596KB
-
Filesize
384KB
-
Filesize
596KB
-
Filesize
684KB
-
Filesize
384KB
-
Filesize
684KB
-
Filesize
384KB