Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 16:55

General

  • Target

    kZF3r2E.exe

  • Size

    3.4MB

  • MD5

    42bd5d3ca66f4f9225a36bbe3a39c446

  • SHA1

    f67ac8661efee4f6106ee51ea30178bb16f91285

  • SHA256

    31417e74d6646eb04a5da10d26565cd67bf99a36def8825c6bceaa3e6eab5906

  • SHA512

    d84ed2ebdde0e92914aa758f83501f8be059294286a3a3c6d002b9a1e984fc193b5e0387ead41dc07d4c242647c2d410ebe8d218719e2cf2b90a727ce4d53dd6

  • SSDEEP

    98304:6WnL1M2XNmcGCVIps5phuIMAbvbJaJNQqPAbsU8968Vum8z22E:6Wu2Qcvlh9vbvWobIbG3E

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kZF3r2E.exe
    "C:\Users\Admin\AppData\Local\Temp\kZF3r2E.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\Temp\kZF3r2E.exe
      C:\Users\Admin\AppData\Local\Temp\kZF3r2E.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.86 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2f0,0x300,0x74c3626c,0x74c36278,0x74c36284
      2⤵
      • Loads dropped DLL
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\kZF3r2E.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\kZF3r2E.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4072
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      2⤵
      • Executes dropped EXE
      PID:336
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\assistant_installer.exe" --version
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\assistant_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x2b4f48,0x2b4f58,0x2b4f64
        3⤵
        • Executes dropped EXE
        PID:2688
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\kZF3r2E.exe

      Filesize

      3.4MB

      MD5

      42bd5d3ca66f4f9225a36bbe3a39c446

      SHA1

      f67ac8661efee4f6106ee51ea30178bb16f91285

      SHA256

      31417e74d6646eb04a5da10d26565cd67bf99a36def8825c6bceaa3e6eab5906

      SHA512

      d84ed2ebdde0e92914aa758f83501f8be059294286a3a3c6d002b9a1e984fc193b5e0387ead41dc07d4c242647c2d410ebe8d218719e2cf2b90a727ce4d53dd6

    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\additional_file0.tmp

      Filesize

      1.4MB

      MD5

      e9a2209b61f4be34f25069a6e54affea

      SHA1

      6368b0a81608c701b06b97aeff194ce88fd0e3c0

      SHA256

      e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

      SHA512

      59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\assistant\assistant_installer.exe

      Filesize

      1.8MB

      MD5

      4c8fbed0044da34ad25f781c3d117a66

      SHA1

      8dd93340e3d09de993c3bc12db82680a8e69d653

      SHA256

      afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

      SHA512

      a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404071656071\opera_package

      Filesize

      135.7MB

      MD5

      51925d4ccf835cfc01fc4128e16aae03

      SHA1

      2e29709468adb5399c91da7c65c2999ff1e136e9

      SHA256

      4bc959418d2a311e7fe50db799145d65382a7697230f9d343f3ae23f6526a91d

      SHA512

      a23cd3e8ddb059c898ccde02e3fb56f9767d989b96c207594d9a437964fd35a4f3ec7c68923ea669f206d3d13f9668b3970e9e6784e92e3a4beef10707267b32

    • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404071656026943228.dll

      Filesize

      5.2MB

      MD5

      7c4c89e7a2b29a8fc7c24fd158761f5f

      SHA1

      f05bddcb3df1811d104939192510d7afce5bf9b1

      SHA256

      b2b0b0372fea8c706860f531099234dd2e90a5648adba0e540cb1eeba6ea0d99

      SHA512

      135bea3366b56f78d78d71969f8ae09fca130339e8989480c29b9970e35c9ed81bccb0a26e68fa572d254d2434f10c28e200baf2044248378724fd471483cd0c

    • C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

      Filesize

      40B

      MD5

      2013d8dcb5f4517b47ee1bd10888477d

      SHA1

      36b320272aa7b6d93bd838bfb47b95de444bf3ee

      SHA256

      9c5dcec9b6ecc63d9ad796fadfaceb56a44df3dc8aac7dde1f8effa932f0249d

      SHA512

      ea2368d4bab16e5f6ca5222347021c95ea940a03446510ccb95137fbc2ae5c209d1947bc93b19e1085748dc914d2d69fcaeba9dddf166313b69f85f070d16280

    • memory/2912-5-0x00000000001A0000-0x0000000000760000-memory.dmp

      Filesize

      5.8MB

    • memory/2912-35-0x00000000001A0000-0x0000000000760000-memory.dmp

      Filesize

      5.8MB

    • memory/3228-0-0x00000000001A0000-0x0000000000760000-memory.dmp

      Filesize

      5.8MB

    • memory/3228-13-0x00000000001A0000-0x0000000000760000-memory.dmp

      Filesize

      5.8MB

    • memory/4072-17-0x0000000000C30000-0x00000000011F0000-memory.dmp

      Filesize

      5.8MB

    • memory/4072-19-0x0000000000C30000-0x00000000011F0000-memory.dmp

      Filesize

      5.8MB