Analysis

  • max time kernel
    987s
  • max time network
    452s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 14:18

General

  • Target

    CyberGhost VPN 8.0.6.2540 + Crack.exe

  • Size

    14.2MB

  • MD5

    89a80be94a0925889e4235cd0455288e

  • SHA1

    71031291706ea11c2df2b38381e1588173f426e3

  • SHA256

    45e289f766b3c4ff06e41032cf1988e856a41442ee6aedcd45a84838595279c7

  • SHA512

    c913740f9aee0217b3bb13300c986e65dcc326c0b20b848a77a731252717442e41ef6dc6c3e63f2bec37f9434c354ab34dd2f8a61d0213986bd3fc69ad3c0eb2

  • SSDEEP

    393216:uRqfbDiqiFCrnWNCwiZgamThZoXYRv34TzzX:uaICn+7oXYmTzL

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CyberGhost VPN 8.0.6.2540 + Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\CyberGhost VPN 8.0.6.2540 + Crack.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\mot.exe
      "C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\mot.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe
        "C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe" --silent --allusers=0
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe
          C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.100 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x734a4290,0x734a429c,0x734a42a8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3444
        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\set_0.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\set_0.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3772
        • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe
          "C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4916 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240527141950" --session-guid=b38895ff-e15e-4c62-ad98-916cbc5765ed --server-tracking-blob=YzhmYzdmM2MzYWM2NTExYWE3MDU2Y2E2YTI2YzJiMzA1YWIwYjA4YjU0MGY2ZDNjZTI2N2I0OTZmMjYwYjQyMDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCM19ERF8zNjYxJnV0bV9pZD1kNTk3ZjM2OWQ0N2Q0YWI5YWFmNzk0NGM0MjEzODIyMiZ1dG1fY29udGVudD0zNjYxXzI2MDMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTY4MTk1ODQuMDc5MCIsInVzZXJhZ2VudCI6Iklubm9Eb3dubG9hZFBsdWdpbi8xLjUiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfUEIzX0REXzM2NjEiLCJjb250ZW50IjoiMzY2MV8yNjAzIiwiaWQiOiJkNTk3ZjM2OWQ0N2Q0YWI5YWFmNzk0NGM0MjEzODIyMiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6Ijc4NjU2OGUwLTUxNzAtNGFjYS1hNjlhLWYxZmI2OGU2ZjUyOCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5005000000000000
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe
            C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.100 --initial-client-data=0x2bc,0x2c0,0x2c4,0x284,0x2c8,0x72684290,0x7268429c,0x726842a8
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4364
        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
          4⤵
          • Executes dropped EXE
          PID:3816
        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\assistant_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\assistant_installer.exe" --version
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4796
          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\assistant_installer.exe
            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x3e4f48,0x3e4f58,0x3e4f64
            5⤵
            • Executes dropped EXE
            PID:2692

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

          Filesize

          717B

          MD5

          822467b728b7a66b081c91795373789a

          SHA1

          d8f2f02e1eef62485a9feffd59ce837511749865

          SHA256

          af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

          SHA512

          bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

          Filesize

          299B

          MD5

          5ae8478af8dd6eec7ad4edf162dd3df1

          SHA1

          55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

          SHA256

          fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

          SHA512

          a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0B

          Filesize

          313B

          MD5

          f9453b85d0ff922bdc8f9911edd6ebfe

          SHA1

          18de665c5935376fbd4d9da3c7d36e072bf0f658

          SHA256

          7b5808f7b617f7ce71cce84dacddeb106d67d93e18aee4cf5824cadc72cdc2dc

          SHA512

          be87e95a12de7f04684e715ebb0cdf8011cdf69316572f835abb2990f7c0908422e8d7ae8cd980f61b4db4ddf7c958b34c6dd86b4833489f1d4105fc49a058db

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

          Filesize

          192B

          MD5

          bb31598ee83d403b9b877b1bdc85962a

          SHA1

          64678fc36cfa8ee76cce153e878d821c45857e09

          SHA256

          1098951ac5dea0078705b32c218c7f46f42a1a6c950d7049461e178292c1b9f1

          SHA512

          b9e4a922202e82da9a7b70838862f99ffaa678c09532638cabb4ee2aa78029a409271acef1e7e45e251cd0b25816bf731467142b5f3b4554750b75536071d5ed

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

          Filesize

          192B

          MD5

          e80ae07a36825b3a899044b87d1d91a6

          SHA1

          12618c07b3c7a27673c7b2fbbee8034895d51c23

          SHA256

          d64209ed20818c960e8d937080375302c30574be41b66d8f01747865ec11f87c

          SHA512

          ac6aca4e073c9fc88401499faedd7f8c0386937016ec452e1572de231333e634359e89cbfe01110c4035073875d9c99b1a415a2c0242c878cdd4cf756a9c892f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0B

          Filesize

          400B

          MD5

          fd5f20270ed064797d54334bcb8cf12d

          SHA1

          69365d7c41ca15d0c915cd4d3bcd5cff70fb3e3f

          SHA256

          55ac594dab6594805c6d69b4d737c81478cd23a9c589e96e32e240ef0cf52038

          SHA512

          6af91e17613ff04796a514e90f9290f610f499c619fee865c2d3398d5f3f10aa5996378e7ea786a3431718c7b58194ab3d82155814a6e7ad39e2f6bc63f51f3a

        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\additional_file0.tmp

          Filesize

          1.4MB

          MD5

          e9a2209b61f4be34f25069a6e54affea

          SHA1

          6368b0a81608c701b06b97aeff194ce88fd0e3c0

          SHA256

          e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

          SHA512

          59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271419501\assistant\assistant_installer.exe

          Filesize

          1.8MB

          MD5

          4c8fbed0044da34ad25f781c3d117a66

          SHA1

          8dd93340e3d09de993c3bc12db82680a8e69d653

          SHA256

          afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

          SHA512

          a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2405271419502574916.dll

          Filesize

          5.2MB

          MD5

          623dcca5a87dda60785b7b534eb7b621

          SHA1

          f9bd7545c032221b085202d5aa1e44846df57652

          SHA256

          f675607a12ff20d454c79bcc36c9bc2ca6760f49a6c79e3023e949b96d04f67a

          SHA512

          d44e2c9d2edd7bfd0aea64071ecec88b871a5af2e5d4c41ce1ba36dcf2e094d5546dcce73779a41ba528ce8265aaa1bba33e21ba1fd92caab01f43e79b0d6bfd

        • C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\INetC.dll

          Filesize

          25KB

          MD5

          40d7eca32b2f4d29db98715dd45bfac5

          SHA1

          124df3f617f562e46095776454e1c0c7bb791cc7

          SHA256

          85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

          SHA512

          5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

        • C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\System.dll

          Filesize

          12KB

          MD5

          4add245d4ba34b04f213409bfe504c07

          SHA1

          ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

          SHA256

          9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

          SHA512

          1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

        • C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\mot.exe

          Filesize

          10.9MB

          MD5

          ef0e2bf80f53890dcbb8a540bb17721e

          SHA1

          93a7638468c99cf2166de38c4bf83eed4a460993

          SHA256

          8e6aa4e07b0e4605ce071d37ec3df936232bfea5efdf51591c1d447014763bd7

          SHA512

          4a9f4b9d08b1d9e82aaf0a0830da6a185488583f13e3cdf4f4a5bdbd1d62c8bc0bcb24a915d61dcb968ff8313c8be804825738dc46c229803267b52b3d032371

        • C:\Users\Admin\AppData\Local\Temp\nsf4681.tmp\nsDialogs.dll

          Filesize

          9KB

          MD5

          1d8f01a83ddd259bc339902c1d33c8f1

          SHA1

          9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

          SHA256

          4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

          SHA512

          28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

        • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\inetc.dll

          Filesize

          22KB

          MD5

          cab75d596adf6bac4ba6a8374dd71de9

          SHA1

          fb90d4f13331d0c9275fa815937a4ff22ead6fa3

          SHA256

          89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a

          SHA512

          510786599289c8793526969cfe0a96e049436d40809c1c351642b2c67d5fb2394cb20887010727a5da35c52a20c5557ad940967053b1b59ad91ca1307208c391

        • C:\Users\Admin\AppData\Local\Temp\nsz2A97.tmp\set_0.exe

          Filesize

          5.7MB

          MD5

          f1c6177bd00a1c9e9d563106341e416d

          SHA1

          05dd357b09a51f5a2bceb7ed14937dafef0c9667

          SHA256

          31488f56e6e635281ec2619a18f3a84581b69bd0b723626fdc0e2ee66c73b452

          SHA512

          90c519f73d171e305c377a0cb3207ed9451145c0afa1e62263769d2c92a7c188211d9bd4cd25f3162ba2e21fb7facee00629b069857eb9aad1628606c9a581e1

        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

          Filesize

          40B

          MD5

          2e8636e3057b1d484978ec3877f95730

          SHA1

          8f2c3a10b22061990f42c386bc79930648360d65

          SHA256

          096529c92179528932c8d409f68b24ac80739e503324b9ea3b2098d9363e03db

          SHA512

          d015d7df5ece775f24340aa0fb8903bc3f54942326d2812bfe16dfce1119b69ab2f288746fd4774b5cccef7ae4968b3b72f534cb8d0ddae690baf0219bb3d566