Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:53
Behavioral task
behavioral1
Sample
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
Resource
win7-20240508-en
General
-
Target
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
-
Size
3.3MB
-
MD5
d41501d6899358a83d6f39b856517c5b
-
SHA1
e698963ba1816f8afb76d9f65e935e78cbe3f8b9
-
SHA256
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2
-
SHA512
0804ba6a4ce018dc78383c0c0a9702fa9aee579edd2637ddb61b81aaab79e50efff47ef86703011cd80a6c400f50b8c35512981e71b069dad45978ed619c6f65
-
SSDEEP
98304:6Ol4eNA4MqMVdrh6h6UuLQhpejzEjlPdm23JYC+BBvUWuj2dtLS:6Ol1+JTrH325YJvuI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exepid Process 2424 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe -
Loads dropped DLL 3 IoCs
Processes:
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exepid Process 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 3192 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 2424 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/884-1-0x00000000001C0000-0x000000000077C000-memory.dmp upx behavioral2/memory/3192-4-0x00000000001C0000-0x000000000077C000-memory.dmp upx behavioral2/files/0x0007000000023407-13.dat upx behavioral2/memory/2424-16-0x0000000000800000-0x0000000000DBC000-memory.dmp upx behavioral2/memory/2424-19-0x0000000000800000-0x0000000000DBC000-memory.dmp upx behavioral2/memory/884-21-0x00000000001C0000-0x000000000077C000-memory.dmp upx behavioral2/memory/3192-22-0x00000000001C0000-0x000000000077C000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exedescription ioc Process File opened (read-only) \??\F: 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe File opened (read-only) \??\D: 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exepid Process 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exedescription pid Process procid_target PID 884 wrote to memory of 3192 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 81 PID 884 wrote to memory of 3192 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 81 PID 884 wrote to memory of 3192 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 81 PID 884 wrote to memory of 2424 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 84 PID 884 wrote to memory of 2424 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 84 PID 884 wrote to memory of 2424 884 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exeC:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=99.0.4788.49 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2c8,0x2f8,0x74f0a108,0x74f0a118,0x74f0a1242⤵
- Loads dropped DLL
PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
Filesize3.3MB
MD5d41501d6899358a83d6f39b856517c5b
SHA1e698963ba1816f8afb76d9f65e935e78cbe3f8b9
SHA256772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2
SHA5120804ba6a4ce018dc78383c0c0a9702fa9aee579edd2637ddb61b81aaab79e50efff47ef86703011cd80a6c400f50b8c35512981e71b069dad45978ed619c6f65
-
Filesize
5.1MB
MD530f85385033134cb6db41e29ccfc60a4
SHA177797120af3ff451563627ecb67939d00b722bde
SHA256f1e2fa22d39268551e4a639dac3f19d2c1de87d85d776b059f0e92d627deb2fe
SHA51233941260f6b626a7c07a7cd567c7b28cbccb8c4d8e472f70b85d2a8ec883e9298b3652dbc252905f25c34d3b90a539f00ff2342eef0723c357be298a363991af