5e5c8aed53266a2ef9d6617e245cea13eafcb21523210d596ee39f641ab2e079

Analysis

max time kernel
141s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f91db957a2cf3ab69f74d11d5cbb06.exe
Size

2.5MB
MD5

c7f91db957a2cf3ab69f74d11d5cbb06
SHA1

85ed50f3dddce2e1c7bc977fdcf28fb3f71572ab
SHA256

5e5c8aed53266a2ef9d6617e245cea13eafcb21523210d596ee39f641ab2e079
SHA512

a53dfffe589f9285fc228921d917f0c49adc5ae45101d10972639733e8b6cd5260e30069cd44d147305d5ac88ddbd2d6e9140534c976373bc47166cd533f9849
SSDEEP

49152:mJMB3CZWdStf43iviuyduNhcRiTzeGzmMhMxDotfw5ozYjj/a9wqzPo1aIPBbxlm:YAywStfIEinduNhVHeGKMhM5l5rjj/KD

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1884	c7f91db957a2cf3ab69f74d11d5cbb06.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe
1464	c7f91db957a2cf3ab69f74d11d5cbb06.exe
1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe
1884	c7f91db957a2cf3ab69f74d11d5cbb06.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-1-0x0000000000400000-0x0000000000850000-memory.dmp	upx
behavioral1/memory/1464-12-0x0000000000400000-0x0000000000850000-memory.dmp	upx
behavioral1/files/0x0006000000016e24-14.dat	upx
behavioral1/memory/1884-20-0x0000000000400000-0x0000000000850000-memory.dmp	upx
behavioral1/memory/1884-23-0x0000000000400000-0x0000000000850000-memory.dmp	upx
behavioral1/memory/1972-62-0x0000000000400000-0x0000000000850000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	c7f91db957a2cf3ab69f74d11d5cbb06.exe
File opened (read-only)	\??\F:	c7f91db957a2cf3ab69f74d11d5cbb06.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1464	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	28
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29
PID 1972 wrote to memory of 1884	1972	c7f91db957a2cf3ab69f74d11d5cbb06.exe	29

C:\Users\Admin\AppData\Local\Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe
"C:\Users\Admin\AppData\Local\Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe
  C:\Users\Admin\AppData\Local\Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=77.0.4054.277 --initial-client-data=0x178,0x17c,0x180,0x14c,0x184,0x74fa43b0,0x74fa43c0,0x74fa43cc
  2⤵
  - Loads dropped DLL
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
823cf8bfde4f216b897c2c20bb12f18c

SHA1
e915f6bd3dbc0abd3104aad04d05aedb63708822

SHA256
b0ebc6c2f68a07b489ef391832ca24eb1cc2c647bd7360ecf79a10d76f67383e

SHA512
6edc23f7e46535fb358ed862a77a3d031af08b8f89c377a144bdfe1a01b4754b72e2801094102656a3a02aa326414f2dc1a4f273ac186069cfa0cc5e189d8581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb84bd60ac2053567d3519bc3321d30c

SHA1
9e62a6919dd448a5b151de601cbac33f8d23ccfb

SHA256
b83833425e600a420e8acbbd4337c67b580278be0a61bebaf73c19751b18a96f

SHA512
a6d0d5bb9a23b75525f642e80cf1c88b2dc04297d9edb29f50f0381eb14b8cb520fb272d194d4ecc043802ada3a2f97bd7bfa75fb0ba99e942ccfd0bd2e99ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81db824803dc6151a2adb7cc2487f6be

SHA1
55a1fd2a928a28d5679fecc133fede5a9ce83ec2

SHA256
d771a22eabaeea4cee8df79d88b1d3556bf17027be5c8b1b2157a7f12d7c01fe

SHA512
f8c942fe72c81d67ff285d02d5e5eb107c7e51cd7b0d8cf43d46f63010808bbd5918aebfda29596afd509b72e05a5dda68a8e0b220dbe1fa39faae591774384a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
114f627895223a6306f646a2c3ca0517

SHA1
cca40f756bcacdc0389d3350bd25432e9587eaf3

SHA256
3eaff62cdbb2889624c926883df9ed345c5f468ed937bdec6e49a45f0cce98bb

SHA512
24e7a4193b4353fe449cc0b86bf71409a88846aaee2c9b7932b3e8e09e9c164ac0b6ba1e210cac572e887d537514fc3829ba616d45e722b082d379ce49404da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ff5bade39497cfa8af816fbc1bed00d

SHA1
78ba300e15d8c4a9f576e1f5ce69062628ee0913

SHA256
4e971241b8ed860f1cecb28da1b64e466afd4a6134a060d9a15d0c55f74081ff

SHA512
336779561293eadb610f391acbfbe161d6937442d0810ffbec17c3640ed0f530d90c4e9bc8d99d3934b36c85ef75c9701348ff3eb29c5a9fd054d7d76592f667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c22ab61fade792def066cf8b48affb0

SHA1
bcb26d9c1d15c1a0f39987c0dca68f3ac0d089b1

SHA256
673a74d582c877bc92d987ce07548d4e80455ae7b6cbe9fe9c1e62ae29745b07

SHA512
2b43d5ff6850147f50c903133b23b1b9e1ad30cf14607ab0b1e70fd95dc87845e2ddca1bb3ec3b342e45096348db93802b04f157ca1d8dda441d898135573bef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6644d8da356d3c2ac4f2287eb5dfa8a

SHA1
8c981182325d8b1985ce0e9a3718bfb6ff1c02ee

SHA256
21b106536a0c90a20c3db3a6f6c41aebeaebb9693727cd1852c755887eaed868

SHA512
663e54974d99c23258e1be169fa1723d9942803cea89c39ae44f731a4d3575d26a3df5f450f04c2dda7df97b29ecdb5a6df1a45f03a2d1d72c55878dc108b64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31dd5cc664f4d32277c04fccdb64422e

SHA1
e1671fa5ea9e9ea380c767597b0a1aa7d886eb20

SHA256
a50b8f7daff16bc578d06324912095660ec658a3470c918fc816f55478c6a120

SHA512
24e7a2a229dc8a4fde5141253050cdc3257e03d2baf2a7e14677ac80369e0df219fa5cbc0fe30004cd11757efd49cfd3fd191bdb4d40b4f961ddac943302ce59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d07cfbf988108bea9d3577518d789ef2

SHA1
381ea830a39ec44cabad8a004a10400b54f446f4

SHA256
beb5bcc302286403283e3f0e36c0d888d63e44b2727e0b80bc914ed88c8c6c20

SHA512
ce80c7d0642ec2db3eef8a3c769fcd36c20f9d02e3a084d6d3b7168270843ac38113e9bbf056eb71adb747c86d12000a7dc2123c921f5764bfc5fbb9eb0d683e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
02911a64564d740ca9e32a9a9b75940c

SHA1
1e2bd083148f3d2e7f8aee6c5a122618fd362971

SHA256
1744a5909424294e3b197d0be565e04b4225ff6a91c4ba275122e1f9f986a80f

SHA512
a4fc4b7e117926953af95a6a199be4decefede36cd8001c4af108bbd4df3dc779c30344ac73d3e9adb25e41d1b6a18820347d9c08e1ed2a817bd46f46eee1800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403140654376671884.dll

Filesize
3.0MB

MD5
356a5c722aae797b21d899c4b34bcd52

SHA1
d457da10e7b1a78d9654e155a172b658b98a4d7c

SHA256
5edb5e6558872040bd0635cf5601e66677f59fa9a645f915d44f967354fcf1d1

SHA512
d1870353214d24994d2376c0be07dd91bb962a92b90fc127f06ac3a0fa563a766989933c88b3faeefa619c6d9eb59908a861ffb96fb32f194f87a40820874349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4945.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c4b092fa7ea0bb486317ac190298f119

SHA1
2152620f5fca4289c90e4bad0deb930c3659c1db

SHA256
44d71809f4ebc1eed0298f6cf15d670df4fcd38f194a6eb235942d6fa076851b

SHA512
c5ac86aa2f5501678991636cd4800574d6447454b9077dc8d03cd86e820c22cc3224ce55cf5309d7d5fba66ba8c294f02c0716339e430755fd06ab2af703f8f6

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\c7f91db957a2cf3ab69f74d11d5cbb06.exe

Filesize
2.5MB

MD5
c7f91db957a2cf3ab69f74d11d5cbb06

SHA1
85ed50f3dddce2e1c7bc977fdcf28fb3f71572ab

SHA256
5e5c8aed53266a2ef9d6617e245cea13eafcb21523210d596ee39f641ab2e079

SHA512
a53dfffe589f9285fc228921d917f0c49adc5ae45101d10972639733e8b6cd5260e30069cd44d147305d5ac88ddbd2d6e9140534c976373bc47166cd533f9849

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403140654373691972.dll

Filesize
3.8MB

MD5
57ab4ac50e486cf7626f855f8062268f

SHA1
b1b3de632d04f69a9297b292d8610361d97f86cd

SHA256
015e0d8c95d75eb2ab07fb652d6c77a93fc01f1e790017b13375658303b2c820

SHA512
3b71192b7c574a875574f2a75b19911aca5a0c1aeb0cc7f9010495b2cb8cca601658d80b6c27d97fe1102203ba68bd7cbd455ddf54f942f8b351e339413d50c0

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403140654375111464.dll

Filesize
3.4MB

MD5
e9856d75c338b06c0b3d211eb5a3a282

SHA1
1916fd0f92a14dad71aa16747179203dd39d7f01

SHA256
396378b66da32d20071c256a8f6f8e4d586293d3dbd2eeefe3e5eac16aea5dd5

SHA512
200119214f38fae275408e35e45e3bf6ea780ae48319199f2b0734a58eb976c7131901540b1b861fe838b668148a10ceb69293e042ffa89bbdf3bb8166ea4d12

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403140654376671884.dll

Filesize
3.4MB

MD5
2cf4d1a6be19883d2578a8b8d44f05dd

SHA1
44892c6596da05fd809993386a62fa6c9b7e6ca0

SHA256
2137f596a6be919e419ee1c9189d8c3175c708f31b6f26730670372ea91dc514

SHA512
2495e603201384c3f5f57829e4342a9163c32b22ceb6f803c75cf6d27620e537f976188f104349974647203a1bcf35b50d7b869760832591afda678836f95d6d

Download Submit
memory/1464-12-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1884-20-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1884-23-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1972-62-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1972-1-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1972-4-0x00000000027C0000-0x0000000002C10000-memory.dmp

Filesize
4.3MB

Download
memory/1972-18-0x0000000002E40000-0x0000000003290000-memory.dmp

Filesize
4.3MB

Download