fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331

General

Target

fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
Size

2.6MB
MD5

6bee4c1100bc3d6f2228944d6c15b84d
SHA1

c1aac442a7e7fa03625a555cd95e8ab1d3eede7b
SHA256

fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331
SHA512

3fc4db212011aa4f4d8fc1f3949ea28a120d3b4e2ceb6c41f00cc4a886bac25d0a7f682c597afc93e78e56e09267fda569f0da83186a53d1a05e8e7b08c8becb
SSDEEP

49152:RoUMoaz4KJ0atpf0h3U8pL8ibXG/kw2/dLInk1my/rD6cniVF:R5a86pOU8pL8ibXK329IkQy/rD6cq

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1168	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
4376	Assistant_110.0.5130.23_Setup.exe_sfx.exe
1232	assistant_installer.exe
4988	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
1104	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
1168	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
1232	assistant_installer.exe
1232	assistant_installer.exe
4988	assistant_installer.exe
4988	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/876-3-0x00000000001C0000-0x00000000006D9000-memory.dmp	upx
behavioral2/memory/1104-7-0x00000000001C0000-0x00000000006D9000-memory.dmp	upx
behavioral2/files/0x0007000000023465-13.dat	upx
behavioral2/memory/1168-15-0x0000000000D80000-0x0000000001299000-memory.dmp	upx
behavioral2/memory/1168-19-0x0000000000D80000-0x0000000001299000-memory.dmp	upx
behavioral2/memory/1104-38-0x00000000001C0000-0x00000000006D9000-memory.dmp	upx
behavioral2/memory/876-37-0x00000000001C0000-0x00000000006D9000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
File opened (read-only)	\??\F:	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1104	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	80
PID 876 wrote to memory of 1104	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	80
PID 876 wrote to memory of 1104	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	80
PID 876 wrote to memory of 1168	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	83
PID 876 wrote to memory of 1168	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	83
PID 876 wrote to memory of 1168	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	83
PID 876 wrote to memory of 4376	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	85
PID 876 wrote to memory of 4376	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	85
PID 876 wrote to memory of 4376	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	85
PID 876 wrote to memory of 1232	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	86
PID 876 wrote to memory of 1232	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	86
PID 876 wrote to memory of 1232	876	fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe	86
PID 1232 wrote to memory of 4988	1232	assistant_installer.exe	87
PID 1232 wrote to memory of 4988	1232	assistant_installer.exe	87
PID 1232 wrote to memory of 4988	1232	assistant_installer.exe	87

C:\Users\Admin\AppData\Local\Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
"C:\Users\Admin\AppData\Local\Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
  C:\Users\Admin\AppData\Local\Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=99.0.4788.31 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2b4,0x2e4,0x74fb20d0,0x74fb20e0,0x74fb20ec
  2⤵
  - Loads dropped DLL
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7f30e8,0x7f30f4,0x7f3100
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331.exe

Filesize
2.6MB

MD5
6bee4c1100bc3d6f2228944d6c15b84d

SHA1
c1aac442a7e7fa03625a555cd95e8ab1d3eede7b

SHA256
fe4283cd3dcc11d2bce7e069cf0072e6c18e40fb89b4aef7e1057aa1c533f331

SHA512
3fc4db212011aa4f4d8fc1f3949ea28a120d3b4e2ceb6c41f00cc4a886bac25d0a7f682c597afc93e78e56e09267fda569f0da83186a53d1a05e8e7b08c8becb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe

Filesize
2.5MB

MD5
028fb19ee2cea3e611b4a85ac48fafbc

SHA1
d1a802b5df649282e896289b4ec5df8d512b53dd

SHA256
e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117

SHA512
99959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
b6789061eb88781add48ec7095ff78e5

SHA1
c2cdf5723a94b3b5a69ad78a5e869347444abe0b

SHA256
c39c7199fa2221783ea61f085f484668e3c452706069b046cb0f4a9d4cb4c0a3

SHA512
7c9a61c7f8d45fb7a2591c0c57c22bca0b527e3b6b4a3bdde5fbdcca25abc1e0c56a244a39d4b65a91316eb8f19fb8232569f5781eedefbc0898646d4df10f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\dbgcore.dll

Filesize
166KB

MD5
a4ed3b36776e0155fd24ffa609ffc2f4

SHA1
3d6496f21e0f04b6789365d06e71fe7de284b1c0

SHA256
b69387b9284dc36d377e4066c4cf361dc65efc6c784af0f8666d9684fabd2d29

SHA512
ae5d052fdcc7e7d3e593a1fb2dd5e64fcd75c7381ff4e4c5f4302d8d3c058a48c943c66d04c02d44d45c2bda36b3d3df096dfea26fc35d3c682bdd5221225e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406120406531\assistant\dbghelp.dll

Filesize
1.7MB

MD5
fa64324149160877768551fd96c360dc

SHA1
dd76ebe617271465ae5820f49152f8a89703ae1a

SHA256
7f4a2cff90524b769781b763077be198d74834c6b576ef9f27132a415cbbaca8

SHA512
72161c1b0449f546e2a3560369f5cebbe71c5f098efb4037a9ec229310082b0fab2de10b8a0f94b0213d5119cd9ff66daeaa73ca2163ba0224b5cd8526f7bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240612040653263876.dll

Filesize
4.4MB

MD5
5929d35f5dd25f951e3d67989df47554

SHA1
59fc6ede5facdf2e8c739bb2c3da626a35fbc658

SHA256
2c38bce7acbf817a52ef47da3ba3d21e93b0a141e05038ffeef9a77917c4e1d2

SHA512
16aa3cc00be95d280b438a6e82d512ec150cac05a33afd89d23fabf4bba741b0a225be6441422f0b5fcf6622183426612af315b50011e5efce757e1d3a64021d

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
45adda61e9fd5dac76b5770987e3c89f

SHA1
12ac960b74e2b96bbba4a07a1129b3c172ee34a2

SHA256
ce2766524a7e1950faf0418b24cefe1728f6762dc6193dbff44c5377643ab050

SHA512
24ebab198a5599451f45a42a46725f695ee396de940b7d1e85efc7725ad8589c44d073bf0046dcdac52bb4055e48d4cad93aa48ce5b11d57d3c120d2eca233e1

Download Submit
memory/876-37-0x00000000001C0000-0x00000000006D9000-memory.dmp

Filesize
5.1MB

Download
memory/876-3-0x00000000001C0000-0x00000000006D9000-memory.dmp

Filesize
5.1MB

Download
memory/1104-7-0x00000000001C0000-0x00000000006D9000-memory.dmp

Filesize
5.1MB

Download
memory/1104-38-0x00000000001C0000-0x00000000006D9000-memory.dmp

Filesize
5.1MB

Download
memory/1168-15-0x0000000000D80000-0x0000000001299000-memory.dmp

Filesize
5.1MB

Download
memory/1168-19-0x0000000000D80000-0x0000000001299000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing