Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:58
Behavioral task
behavioral1
Sample
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe
Resource
win7-20240220-en
General
-
Target
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe
-
Size
2.7MB
-
MD5
3a6c337e35fc0876cb5726f2edfb3118
-
SHA1
34806f53b8e78997b91861efca72d3693181df2b
-
SHA256
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05
-
SHA512
3f7c4c0c047596cdc0a9005796f2edfaee16c61b528b4bc834c7be991a67f04546da610ced7d9092056cd1c0c3b2bd0aa40f537b52d73e476febf16d1a859c2c
-
SSDEEP
49152:X6KN3J3DrBW/NTy0ljNLHbW0e6v2D5NTtSbXUuE11eJC53B3AQ7iRrxdS8iyEuXE:XZZJnBW/ZjNL7pe6v2D5NTS3E1vHwQu8
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe_sfx.exeassistant_installer.exeassistant_installer.exepid Process 4696 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 4208 _sfx.exe 5028 assistant_installer.exe 892 assistant_installer.exe -
Loads dropped DLL 7 IoCs
Processes:
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exebf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exebf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exeassistant_installer.exeassistant_installer.exepid Process 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 2504 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 4696 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 5028 assistant_installer.exe 5028 assistant_installer.exe 892 assistant_installer.exe 892 assistant_installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1572-0-0x0000000000400000-0x000000000092E000-memory.dmp upx behavioral2/memory/2504-5-0x0000000000400000-0x000000000092E000-memory.dmp upx behavioral2/files/0x000700000002327a-13.dat upx behavioral2/memory/4696-19-0x0000000000400000-0x000000000092E000-memory.dmp upx behavioral2/memory/1572-21-0x0000000000400000-0x000000000092E000-memory.dmp upx behavioral2/memory/2504-36-0x0000000000400000-0x000000000092E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exedescription ioc Process File opened (read-only) \??\D: bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe File opened (read-only) \??\F: bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exepid Process 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exeassistant_installer.exedescription pid Process procid_target PID 1572 wrote to memory of 2504 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 91 PID 1572 wrote to memory of 2504 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 91 PID 1572 wrote to memory of 2504 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 91 PID 1572 wrote to memory of 4696 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 92 PID 1572 wrote to memory of 4696 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 92 PID 1572 wrote to memory of 4696 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 92 PID 1572 wrote to memory of 4208 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 101 PID 1572 wrote to memory of 4208 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 101 PID 1572 wrote to memory of 4208 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 101 PID 1572 wrote to memory of 5028 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 102 PID 1572 wrote to memory of 5028 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 102 PID 1572 wrote to memory of 5028 1572 bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe 102 PID 5028 wrote to memory of 892 5028 assistant_installer.exe 103 PID 5028 wrote to memory of 892 5028 assistant_installer.exe 103 PID 5028 wrote to memory of 892 5028 assistant_installer.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe"C:\Users\Admin\AppData\Local\Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exeC:\Users\Admin\AppData\Local\Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=90.0.4480.48 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2b4,0x2e4,0x754a89c8,0x754a89d8,0x754a89e42⤵
- Loads dropped DLL
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\_sfx.exe"2⤵
- Executes dropped EXE
PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\assistant_installer.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xdf30e8,0xdf30f4,0xdf31003⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05.exe
Filesize2.7MB
MD53a6c337e35fc0876cb5726f2edfb3118
SHA134806f53b8e78997b91861efca72d3693181df2b
SHA256bf19a1b8febfef715831b6c6864854df1673bdf2483f236752fbc99fedd33d05
SHA5123f7c4c0c047596cdc0a9005796f2edfaee16c61b528b4bc834c7be991a67f04546da610ced7d9092056cd1c0c3b2bd0aa40f537b52d73e476febf16d1a859c2c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\_sfx.exe
Filesize2.5MB
MD5028fb19ee2cea3e611b4a85ac48fafbc
SHA1d1a802b5df649282e896289b4ec5df8d512b53dd
SHA256e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117
SHA51299959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\assistant_installer.exe
Filesize1.9MB
MD5b6789061eb88781add48ec7095ff78e5
SHA1c2cdf5723a94b3b5a69ad78a5e869347444abe0b
SHA256c39c7199fa2221783ea61f085f484668e3c452706069b046cb0f4a9d4cb4c0a3
SHA5127c9a61c7f8d45fb7a2591c0c57c22bca0b527e3b6b4a3bdde5fbdcca25abc1e0c56a244a39d4b65a91316eb8f19fb8232569f5781eedefbc0898646d4df10f9c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\dbgcore.dll
Filesize166KB
MD5a4ed3b36776e0155fd24ffa609ffc2f4
SHA13d6496f21e0f04b6789365d06e71fe7de284b1c0
SHA256b69387b9284dc36d377e4066c4cf361dc65efc6c784af0f8666d9684fabd2d29
SHA512ae5d052fdcc7e7d3e593a1fb2dd5e64fcd75c7381ff4e4c5f4302d8d3c058a48c943c66d04c02d44d45c2bda36b3d3df096dfea26fc35d3c682bdd5221225e76
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121358581\assistant\dbghelp.dll
Filesize1.7MB
MD5fa64324149160877768551fd96c360dc
SHA1dd76ebe617271465ae5820f49152f8a89703ae1a
SHA2567f4a2cff90524b769781b763077be198d74834c6b576ef9f27132a415cbbaca8
SHA51272161c1b0449f546e2a3560369f5cebbe71c5f098efb4037a9ec229310082b0fab2de10b8a0f94b0213d5119cd9ff66daeaa73ca2163ba0224b5cd8526f7bbea
-
Filesize
4.5MB
MD581fe65af3d3707ef3d58020f87c8ae21
SHA1d25b438f9c2a4ef5929ca4167e2f6526f9252703
SHA256c2be617c6c6a77724400992878a95dfdb7dd24571330a167e9c423d33098cb7b
SHA5122a3cd92b9f5df14834cff9b37e5fa40faf47d8bb4a637fe44d58d69b0fdc218d2ea39e179b711ebad715eb656c8fb7fa2b7b4642c3301e000bf60fc38a6e0969
-
Filesize
40B
MD59442bc9d7f6f4357991aec15f8e8f10c
SHA146e85e202a349102519e764b87e138c87260442f
SHA25616a7c050e0806501e8f10f47e7fc4366d5c3e559481fa9ae3e9d1f27d52922f2
SHA512c6fcaf9b705c3e2b98f7c0044b2f3f3befe2203f29bddb9ffe1d8998c02656db08ec6771a64b093b93bf146738e2562df5acb947de53c4d2a72127468de1e746