fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e

General

Target

fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
Size

44.1MB
MD5

71ba5156246b9df86f7ce5232d10379a
SHA1

78255379df33cdfe5fd3245b18edc0f14f77bd96
SHA256

fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e
SHA512

cbe0d08397825bca7c303bf3336cae9396c511e4f963703d572322f892df3149b3b10e6c57e656dd14cb52db8760360bd36b3a6292e8f2a6747f5f532b6dc8f7
SSDEEP

786432:3rMzfSAY24BjG2JnLns5oTgztADHw1zsgoTYpu1ME79NO8Lzv0eO5gpHG+vHhqEg:IzfZTyVnLTT7HweQqNBO+GtIKl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Loads dropped DLL 4 IoCs

pid	Process
1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
2076	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
1936	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
File opened (read-only)	\??\F:	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Opera	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 2076	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	28
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29
PID 1664 wrote to memory of 1936	1664	fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe	29

C:\Users\Admin\AppData\Local\Temp\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
"C:\Users\Admin\AppData\Local\Temp\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
  "C:\Users\Admin\AppData\Local\Temp\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe" --crash-reporter-parent-id=1664
  2⤵
  - Loads dropped DLL
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\Opera Installer\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe
  "C:\Users\Admin\AppData\Local\Temp\Opera Installer\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Opera Installer\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Filesize
8.4MB

MD5
603f05df69a48311cf1e5d28931da768

SHA1
d9e82288438b47b0e1105c03bd7df913bfea261e

SHA256
76c437058a16d47a759b3b75c62477b4156b176853c2ecf4ae7107a4ed70d86e

SHA512
ceffbfb2e66052cbfa16c7c9604937e8ef9461f211a79d4338a9b99d8fc294576270b26557c30bafd627105022e4e62bf83be7fac1fc66128e76fc216d7a7339

Download Submit
\Users\Admin\AppData\Local\Temp\Opera Installer\fada2d23185568fe84d7b5110cc51c92badc1cf615b993e3ecbfb5a96083786e.exe

Filesize
9.6MB

MD5
18159ab6bbac231d0d83f64f6c8dc8f4

SHA1
57ac2515b8529899bdd82898eaa855e9415b9dfc

SHA256
cb7c7e63f0b7f7ed94fa42e4010ad301b8b58714ec816d0eae77386762f81691

SHA512
5a76cf03d29a5a42d4156316129255c70618cd6aec2f00ba42da59ebb303391c201046e0e3d2310a5b041024e2f6a7f2e18f16941dd97cd49e383ae7b77df5ba

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2024225455319.dll

Filesize
1.5MB

MD5
6775542a38c0cc65efee6cf8d346b384

SHA1
c91ca7e67d69c949fedba14d72fd9cf96459359a

SHA256
146320f8bbff9e56aeee7b87a22ead991bd4cce94953a49288b0a2b07569f3d9

SHA512
94d86e857b5e6fd9dad969ba77d31aa8cfa0714d23f1daafa7c380c3eeaf3283d3e9968786b65da8e4891fd23721e399e3217186ed31cda0688697b287b78f71

Download Submit
memory/1664-6-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1664-8-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1664-9-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing