669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
Size

4.8MB
MD5

e15f03ca085312bca433f1d7d061d8c3
SHA1

8402b6262e71acc027e51648434b41bae07ddcdb
SHA256

669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03
SHA512

64f7908c6f5a388e5b05b3e4d2bd23d40cc6449226f7123477d849bf3d544f12b4a11b18b11c92edce1178518ae31fa1446eeef59254339596d883c66ab0f7d7
SSDEEP

98304:6ntlT6666666666666666666666666666666x666666666666666fwwwwwwwwwwO:m4Xx0djW+UyQ6rjnHqtJRn7ZrHzq8QVy

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1364	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
3136	Assistant_108.0.5067.20_Setup.exe_sfx.exe
3512	assistant_installer.exe
1308	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
1720	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
1364	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
3512	assistant_installer.exe
3512	assistant_installer.exe
1308	assistant_installer.exe
1308	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
File opened (read-only)	\??\F:	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1720	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	88
PID 4732 wrote to memory of 1720	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	88
PID 4732 wrote to memory of 1720	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	88
PID 4732 wrote to memory of 1364	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	90
PID 4732 wrote to memory of 1364	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	90
PID 4732 wrote to memory of 1364	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	90
PID 4732 wrote to memory of 3136	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	102
PID 4732 wrote to memory of 3136	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	102
PID 4732 wrote to memory of 3136	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	102
PID 4732 wrote to memory of 3512	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	103
PID 4732 wrote to memory of 3512	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	103
PID 4732 wrote to memory of 3512	4732	669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe	103
PID 3512 wrote to memory of 1308	3512	assistant_installer.exe	104
PID 3512 wrote to memory of 1308	3512	assistant_installer.exe	104
PID 3512 wrote to memory of 1308	3512	assistant_installer.exe	104

C:\Users\Admin\AppData\Local\Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
"C:\Users\Admin\AppData\Local\Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
  C:\Users\Admin\AppData\Local\Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.19 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2b8,0x2fc,0x74cd9530,0x74cd953c,0x74cd9548
  2⤵
  - Loads dropped DLL
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x1f0040,0x1f004c,0x1f0058
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03.exe

Filesize
4.8MB

MD5
e15f03ca085312bca433f1d7d061d8c3

SHA1
8402b6262e71acc027e51648434b41bae07ddcdb

SHA256
669ab23d45556028e7b0b03eb541be1d1a98888e076a79ec6540593bc3135e03

SHA512
64f7908c6f5a388e5b05b3e4d2bd23d40cc6449226f7123477d849bf3d544f12b4a11b18b11c92edce1178518ae31fa1446eeef59254339596d883c66ab0f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

Filesize
1.9MB

MD5
93ab6b1ffea7251b61db976c90868e05

SHA1
5cd7d3226dbacb61eaf14dbd29a7d6bbc4a779fb

SHA256
cfdf7a657c69d380484d30add46d1579e4410efa7714ac28ea22d4bf2216843e

SHA512
db8dafe2f9ef1eac10c45f3998a0c27e97c75e4812b540ad0764f65a66b5d38647e53b761f1aab7ea113132f754e073e9fdb7b08b3eef91bf555d6e580cedbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

Filesize
891KB

MD5
422d2ca45324529b435647f38a056b77

SHA1
9be341b50d0e00e29c6b67b9ac817625bdc75efe

SHA256
893084049b33f084d31eef20a3b90bf71b0ae1877ce0769e94e50b933f0afa3c

SHA512
abd3a48952951579a2efb9358ce861b0ff41337bd7a6e0aaa8edfe0fc9f8eeb34463a0ac1b6c02cbe4dae06a6f4882e634428a52590b9df3fb14df5dd26a01d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

Filesize
1.7MB

MD5
a9cff8058b14cfe6874ab37779b5f7de

SHA1
6b7fe96545e29bbadc9b621d026b1d66f7790d40

SHA256
87eb1972246f6e21fe3f873ac92bdccdd25dfafdbd8ab93caed5858397fb2cef

SHA512
e536640f35c949c26a2ac2407de28c8e6ca223c379c985aa0de42ea3d898a19b4f26d292b39ed00a02f46c5ffb0ca8c211dbe3f1cf03a0b1b85b16181a68872c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
b3f05009b53af6435e86cfd939717e82

SHA1
770877e7c5f03e8d684984fe430bdfcc2cf41b26

SHA256
3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

SHA512
d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\dbgcore.dll

Filesize
166KB

MD5
8b6f64e5d3a608b434079e50a1277913

SHA1
03f431fabf1c99a48b449099455c1575893d9f32

SHA256
926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

SHA512
c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\assistant\dbghelp.dll

Filesize
1.7MB

MD5
925ea07f594d3fce3f73ede370d92ef7

SHA1
f67ea921368c288a9d3728158c3f80213d89d7c2

SHA256
6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

SHA512
a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403090001301\opera_package

Filesize
23.0MB

MD5
1a012a88cb42c6be93977ff527d24c0f

SHA1
1236721461ddae7b333c0fb53753fa310d8a4b7d

SHA256
37dceac55fc118c0dbc7f650be63e239ceab8bb98b53664b1d716a2b7747f200

SHA512
2b1a74557c23a47743001ccddbd737d2b085426f946a000ab20657b1eb73cfb1e5774f46bea1d4976030777964181bdb7541fc21b3b9ab28b7900543379bb40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403090001294584732.dll

Filesize
4.3MB

MD5
8cf8e93e2916d18389c23338d95ef472

SHA1
21adefb0dcdfbff39e31bcde8da84ce048adce54

SHA256
81e7a2fa505d364feb8477724cb38846e4f9744eb983b826b9283977a3c3f19e

SHA512
2cc2a42b3487327f11e8965a503a8decc413fc3b378bc5daae645838572233d15f0e8bff28ac55f125599f44e240e3171fd9ab8620d05f4785158fd3c07c1c68

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
b1ffba52a515ba012e889b16100714fb

SHA1
88ac0c9a40356127caef94c95b8151888f7f0f64

SHA256
759407f6d67688303cce2ef4f93874da8949b9583ccc6bafa18b1779c8d39c07

SHA512
3cd1d9f6f92816773d5294324b5577a7eab16bd52e0c53e8ea81237e07ebc9e89dcbf5d41e02dff516a65072081aaf68cd85c39b62b758e26f7dec580444b8c0

Download Submit
memory/1364-13-0x0000000000660000-0x0000000000B3B000-memory.dmp

Filesize
4.9MB

Download
memory/1720-4-0x0000000000150000-0x000000000062B000-memory.dmp

Filesize
4.9MB

Download
memory/4732-0-0x0000000000150000-0x000000000062B000-memory.dmp

Filesize
4.9MB

Download