Malware Analysis Report

2024-11-30 06:13

Sample ID 240612-q6z4ksxdla
Target 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2
SHA256 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2
Tags
upx spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2

Threat Level: Shows suspicious behavior

The file 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Executes dropped EXE

Enumerates connected drives

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:53

Reported

2024-06-12 13:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

"C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Opera_installer_2406121353103241700.dll

MD5 30f85385033134cb6db41e29ccfc60a4
SHA1 77797120af3ff451563627ecb67939d00b722bde
SHA256 f1e2fa22d39268551e4a639dac3f19d2c1de87d85d776b059f0e92d627deb2fe
SHA512 33941260f6b626a7c07a7cd567c7b28cbccb8c4d8e472f70b85d2a8ec883e9298b3652dbc252905f25c34d3b90a539f00ff2342eef0723c357be298a363991af

memory/1700-6-0x00000000002B0000-0x000000000086C000-memory.dmp

memory/1700-7-0x00000000002B0000-0x000000000086C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:53

Reported

2024-06-12 13:55

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
PID 884 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
PID 884 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
PID 884 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
PID 884 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe
PID 884 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

"C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe"

C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

C:\Users\Admin\AppData\Local\Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=99.0.4788.49 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2c8,0x2f8,0x74f0a108,0x74f0a118,0x74f0a124

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe" --version

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Opera_installer_240612135311292884.dll

MD5 30f85385033134cb6db41e29ccfc60a4
SHA1 77797120af3ff451563627ecb67939d00b722bde
SHA256 f1e2fa22d39268551e4a639dac3f19d2c1de87d85d776b059f0e92d627deb2fe
SHA512 33941260f6b626a7c07a7cd567c7b28cbccb8c4d8e472f70b85d2a8ec883e9298b3652dbc252905f25c34d3b90a539f00ff2342eef0723c357be298a363991af

memory/884-1-0x00000000001C0000-0x000000000077C000-memory.dmp

memory/3192-4-0x00000000001C0000-0x000000000077C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2.exe

MD5 d41501d6899358a83d6f39b856517c5b
SHA1 e698963ba1816f8afb76d9f65e935e78cbe3f8b9
SHA256 772825846835d94e306d78560040161879b9db4b73fd9f7921753fa7441bfce2
SHA512 0804ba6a4ce018dc78383c0c0a9702fa9aee579edd2637ddb61b81aaab79e50efff47ef86703011cd80a6c400f50b8c35512981e71b069dad45978ed619c6f65

memory/2424-16-0x0000000000800000-0x0000000000DBC000-memory.dmp

memory/2424-19-0x0000000000800000-0x0000000000DBC000-memory.dmp

memory/884-21-0x00000000001C0000-0x000000000077C000-memory.dmp

memory/3192-22-0x00000000001C0000-0x000000000077C000-memory.dmp