a3e56ab22da24ce64ec004e9632618aec9fd5eb76541b87e85635625ee7d2299

General

Target

01728ee1ea2cf15db7ca35d7497a049d.exe
Size

45KB
MD5

01728ee1ea2cf15db7ca35d7497a049d
SHA1

6c8533c7511aaf936381fdb25967a5a27b455c7b
SHA256

a3e56ab22da24ce64ec004e9632618aec9fd5eb76541b87e85635625ee7d2299
SHA512

019adbd080dfab157a9e843a44303058d9a57e136ab8c465a0a729b0c777f271404933216ef34ddbf9aae1b967212323cef2120ded367733ac6438f52c9ab155
SSDEEP

768:6zjIBGjHXRrs9sINeZEtejlIkoLN127BFVn2p4lAnZ8OJ+1+Tadtp/bkt7Yd2+oL:AkGjXRrs9sINeZEtejlIkoLN127BFVnU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	opera_updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2492	01728ee1ea2cf15db7ca35d7497a049d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	opera_updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	opera_updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28
PID 2492 wrote to memory of 2984	2492	01728ee1ea2cf15db7ca35d7497a049d.exe	28

C:\Users\Admin\AppData\Local\Temp\01728ee1ea2cf15db7ca35d7497a049d.exe
"C:\Users\Admin\AppData\Local\Temp\01728ee1ea2cf15db7ca35d7497a049d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\opera_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\opera_updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\opera_updater.exe

Filesize
45KB

MD5
e82ad30b9fd062f80ba0e8dbbdaceff3

SHA1
d30d4c7cd7b9f99c6c3d2c5307175578aae99721

SHA256
199ce5fbb8c45db27f13ec183557340821f0fffe430cb42098bafce64dbaaa49

SHA512
1b80c2380757e7c8aeee9b366b26f870e3dcbd6451df48ac21e8754e54fa04eb4647494310357beff43133f049817b10542e404adc17b8299f3936ab8c4d4af9

Download Submit
memory/2492-0-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/2984-8-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing