a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3

General

Target

a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
Size

3.2MB
MD5

f50b46099b57064cce4e73143c9a06c6
SHA1

2c8f6ac18e692b784be6c15ff966c564b6a6f622
SHA256

a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3
SHA512

0542c161e09f69c47974f7a3f28a11bba2ec1c2f7ccd0d9a4a8cb7351ffd4280a797e97874832873d9fa571a2034bcc0dbfd9b97ac730538b0854396de843590
SSDEEP

98304:O5iQ1Er5mkLLQ/ac5Bd0dvmcOmiurHZ9MfvkTRwJD:OqvLQP5BdihDv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2964	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe

Loads dropped DLL 4 IoCs

pid	Process
2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
1720	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
2964	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-3-0x0000000000400000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1720-7-0x0000000000400000-0x00000000008F4000-memory.dmp	upx
behavioral1/files/0x0006000000015e3c-16.dat	upx
behavioral1/memory/2964-19-0x0000000000400000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/2964-23-0x0000000000400000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/2648-258-0x0000000000400000-0x00000000008F4000-memory.dmp	upx
behavioral1/memory/1720-299-0x0000000000400000-0x00000000008F4000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
File opened (read-only)	\??\D:	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 1720	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	28
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29
PID 2648 wrote to memory of 2964	2648	a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe	29

C:\Users\Admin\AppData\Local\Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
"C:\Users\Admin\AppData\Local\Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
  C:\Users\Admin\AppData\Local\Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=80.0.4170.86 --initial-client-data=0x19c,0x1a0,0x1a4,0x170,0x1a8,0x74cce4f8,0x74cce508,0x74cce514
  2⤵
  - Loads dropped DLL
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17701e17023649700c4a9a27fea5f219

SHA1
3435f3c0486d0eb709937f2711842cb4611ada4f

SHA256
1aebc2934383750ea991afa3542b9a23625fd8e06e5180ce69bb983743da6551

SHA512
eb49094fb72c8b60603a1423986f0490e4c202df476e6260c2d71549a06a53868b5ff6000300b1a2696eb263ec7defcd763d2ea85f5311989af6c76d721aefb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac9a683cf3799288e0a960205e29d4f

SHA1
162fe378c725da677a4e333ae5b1fc3505e054e5

SHA256
8e5e8bc77d75bb7d98dca12f7e10ac5811cb51e977be8d163c0ef15d59267d79

SHA512
efe5df96e7006ff65135f3c895da9524d6dc914947b59a040c52be83edefc35ea45580a8fa3d525ae73ac0d83b8014411b8547fd524023e9c125ffa77a5ac7d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
069c6416d7ba304b9579538351d4c0d8

SHA1
4c5fd6cb2c427019c95367f4570a24b4cb2f05ed

SHA256
54567ef88e5082b17cca3fe75c734eb271555aedafa58f7ac2c5af249def1a20

SHA512
bf6da118c66b3763cd68734c48bd9d3f407b465cce10022dd9125cfa4b2e4af0aa86ba888c68ea61da61009d5bd10d0475a2b64a97bbc5fa6889019113e21378

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3.exe

Filesize
3.2MB

MD5
f50b46099b57064cce4e73143c9a06c6

SHA1
2c8f6ac18e692b784be6c15ff966c564b6a6f622

SHA256
a3c1b30df000e275363eda23ff50c6b680624a8ba2c8fa3b81d5c866c847b2f3

SHA512
0542c161e09f69c47974f7a3f28a11bba2ec1c2f7ccd0d9a4a8cb7351ffd4280a797e97874832873d9fa571a2034bcc0dbfd9b97ac730538b0854396de843590

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD4B.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0E.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
955a5e7c308c108f4bcdf88bb607ad78

SHA1
6c8b38a73c6d015c8222885f9c8a1643be17602e

SHA256
1c53e3f5a003de00cbedf3a4a2f148e939d5cfdfe756811c6c5dce5140d02eb7

SHA512
b493b57dac5fb2d304dd4b68c215006ef4f88cae09eb875d00cafdcbaacc71bd06376ae117776776bf63f18d23a3d79a0220c13b6c2d3d6453ab06684ad132b3

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2406120639584062648.dll

Filesize
4.5MB

MD5
46975d464d3da923ab0b9b6a1c5213bc

SHA1
5326c86889e67d5bdd07cf8078ceaf7c493367c4

SHA256
2ae655cfe1605382cc317225130d5789acb5bccc8f86d14e65e285c3d44b5661

SHA512
871fd3154130d86cd74e75e1c141de8ed9b49778ee28f54a66030ad0042deabd55f9eb0413d410c214bc10095bd22d3404e52e031b4c543a9ab02fe119eb6f2b

Download Submit
memory/1720-7-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/1720-299-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2648-3-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2648-17-0x0000000003540000-0x0000000003A34000-memory.dmp

Filesize
5.0MB

Download
memory/2648-258-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2648-460-0x0000000002900000-0x0000000002DF4000-memory.dmp

Filesize
5.0MB

Download
memory/2964-19-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2964-23-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing