Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:43

General

  • Target

    af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe

  • Size

    2.7MB

  • MD5

    9f843bb1b987bc8fb36c20d3cabeefc3

  • SHA1

    5e43f6065741e382f308a99e34a8db0fcb857d20

  • SHA256

    af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14

  • SHA512

    6ca63987946a0344d362c49b1800d1b8d9886cdba8c2d7aa3815d167dd64ed80e3b9568904976ed0b8c80689c2c3600b3946ab34a5ff2ca3c12a873d202c490e

  • SSDEEP

    49152:R6KN3J3DrBW/NTy0ljNLHbW0e6v2D5NTtSbXUuE11eJC53B3AQ7iRrxdS8iyEuXE:RZZJnBW/ZjNL7pe6v2D5NTS3E1vHwQu8

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe
    "C:\Users\Admin\AppData\Local\Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Users\Admin\AppData\Local\Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe
      C:\Users\Admin\AppData\Local\Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=90.0.4480.48 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2b4,0x2e4,0x752489c8,0x752489d8,0x752489e4
      2⤵
      • Loads dropped DLL
      PID:1848
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3548
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\_sfx.exe"
      2⤵
      • Executes dropped EXE
      PID:716
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\assistant_installer.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\assistant_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x11730e8,0x11730f4,0x1173100
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14.exe

    Filesize

    2.7MB

    MD5

    9f843bb1b987bc8fb36c20d3cabeefc3

    SHA1

    5e43f6065741e382f308a99e34a8db0fcb857d20

    SHA256

    af7892e321b7057ad7879f7e1ae568878153afec03bd216dd80a04a99fb3ed14

    SHA512

    6ca63987946a0344d362c49b1800d1b8d9886cdba8c2d7aa3815d167dd64ed80e3b9568904976ed0b8c80689c2c3600b3946ab34a5ff2ca3c12a873d202c490e

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\_sfx.exe

    Filesize

    2.5MB

    MD5

    028fb19ee2cea3e611b4a85ac48fafbc

    SHA1

    d1a802b5df649282e896289b4ec5df8d512b53dd

    SHA256

    e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117

    SHA512

    99959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\assistant_installer.exe

    Filesize

    1.9MB

    MD5

    b6789061eb88781add48ec7095ff78e5

    SHA1

    c2cdf5723a94b3b5a69ad78a5e869347444abe0b

    SHA256

    c39c7199fa2221783ea61f085f484668e3c452706069b046cb0f4a9d4cb4c0a3

    SHA512

    7c9a61c7f8d45fb7a2591c0c57c22bca0b527e3b6b4a3bdde5fbdcca25abc1e0c56a244a39d4b65a91316eb8f19fb8232569f5781eedefbc0898646d4df10f9c

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\dbgcore.dll

    Filesize

    166KB

    MD5

    a4ed3b36776e0155fd24ffa609ffc2f4

    SHA1

    3d6496f21e0f04b6789365d06e71fe7de284b1c0

    SHA256

    b69387b9284dc36d377e4066c4cf361dc65efc6c784af0f8666d9684fabd2d29

    SHA512

    ae5d052fdcc7e7d3e593a1fb2dd5e64fcd75c7381ff4e4c5f4302d8d3c058a48c943c66d04c02d44d45c2bda36b3d3df096dfea26fc35d3c682bdd5221225e76

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406121343121\assistant\dbghelp.dll

    Filesize

    1.7MB

    MD5

    fa64324149160877768551fd96c360dc

    SHA1

    dd76ebe617271465ae5820f49152f8a89703ae1a

    SHA256

    7f4a2cff90524b769781b763077be198d74834c6b576ef9f27132a415cbbaca8

    SHA512

    72161c1b0449f546e2a3560369f5cebbe71c5f098efb4037a9ec229310082b0fab2de10b8a0f94b0213d5119cd9ff66daeaa73ca2163ba0224b5cd8526f7bbea

  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406121343112903984.dll

    Filesize

    4.5MB

    MD5

    81fe65af3d3707ef3d58020f87c8ae21

    SHA1

    d25b438f9c2a4ef5929ca4167e2f6526f9252703

    SHA256

    c2be617c6c6a77724400992878a95dfdb7dd24571330a167e9c423d33098cb7b

    SHA512

    2a3cd92b9f5df14834cff9b37e5fa40faf47d8bb4a637fe44d58d69b0fdc218d2ea39e179b711ebad715eb656c8fb7fa2b7b4642c3301e000bf60fc38a6e0969

  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

    Filesize

    40B

    MD5

    e14446774fc674b5a9140348019d6391

    SHA1

    39ac74a1861c9488df5573994f2a31d0bdf033c3

    SHA256

    83a44241fea00dd10bd5713b4554e17776d6370deb6531acb7cf482484b27ad4

    SHA512

    fd496da38cab14da4a42bb952f79ef78d4435801a69f27714dbedf06cc1fd1cc9c42e1ac6f9e68c8b37bb85b863c36c1f5183b7a6f402b31545450bd98ae4013

  • memory/1848-7-0x0000000000400000-0x000000000092E000-memory.dmp

    Filesize

    5.2MB

  • memory/3548-17-0x0000000000400000-0x000000000092E000-memory.dmp

    Filesize

    5.2MB

  • memory/3548-19-0x0000000000400000-0x000000000092E000-memory.dmp

    Filesize

    5.2MB

  • memory/3984-3-0x0000000000400000-0x000000000092E000-memory.dmp

    Filesize

    5.2MB