1d48fc48bc4e0bbafd3defadc3452266edd1c9b91ccafc7fc13fc8c40ba6f15f

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e49b12addd7dfe76416faa910bebd0.exe
Size

37KB
MD5

67e49b12addd7dfe76416faa910bebd0
SHA1

66ad5c50b15556d09e7fe17fb9a32ae02c3c3dd1
SHA256

1d48fc48bc4e0bbafd3defadc3452266edd1c9b91ccafc7fc13fc8c40ba6f15f
SHA512

266c85a13e01a34661c010cf62ba41f341a65cd680b47e1b56c5f64ad82767f6a8908ea38fa67c5ae97c708493eb47cbd1fc0a18de905be0d1895d5e028d476d
SSDEEP

384:JC+EaVVpDSL/7wIUAch1A9NB/erdO9oMCCQcxbRxla0rh84KtI3/w9netgKPTv08:JSfL/76As1FdMQ8RjaeeILt//+SWRFw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	67e49b12addd7dfe76416faa910bebd0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	opera_autoupdater.exe

Executes dropped EXE 1 IoCs

pid	Process
1512	opera_autoupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1512	3216	67e49b12addd7dfe76416faa910bebd0.exe	88
PID 3216 wrote to memory of 1512	3216	67e49b12addd7dfe76416faa910bebd0.exe	88
PID 3216 wrote to memory of 1512	3216	67e49b12addd7dfe76416faa910bebd0.exe	88

C:\Users\Admin\AppData\Local\Temp\67e49b12addd7dfe76416faa910bebd0.exe
"C:\Users\Admin\AppData\Local\Temp\67e49b12addd7dfe76416faa910bebd0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe

Filesize
37KB

MD5
ab306cacd6a3020e10776894887b863f

SHA1
9351ad802d0c9239b2682b742361d5ae7ef1725c

SHA256
3e294b7b30962122fdaa76ab75d66dbcae9656ee7f342b495861ab3a86408050

SHA512
45794b55fbaf8baa9ea374d5fd4c2a6a5d1ddb6128c2df9385fae838603e068ef92ad5f786235347788b5e639ccd9d1cdaa275f2f6c86874712d6ec8fdc00721

Download Submit
memory/1512-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3216-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download