e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823

Analysis

max time kernel
297s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/06/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe
Size

2.0MB
MD5

4606ce909104b8dd7ad572c12f9d0179
SHA1

37e51eb9186c17b3b9fd7478657c4472f1d67ed1
SHA256

e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823
SHA512

34c3c286a2b6912e6446058f1bc021ae0a399665415dd0216526b729a0c2775ed27cfc5b5b47e514624c973d2816c73ece70868200353230dc6eae13f6bd43ac
SSDEEP

49152:aNEyY80FNFPy4tGmml/0947g+b9W7m6S/sbs0wQ22qPAoFmkw:gEhFvqXjbqoJQCK

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4728	setup.exe
208	setup.exe
4580	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
4728	setup.exe
208	setup.exe
4580	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4728	5116	e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe	73
PID 5116 wrote to memory of 4728	5116	e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe	73
PID 5116 wrote to memory of 4728	5116	e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe	73
PID 4728 wrote to memory of 208	4728	setup.exe	74
PID 4728 wrote to memory of 208	4728	setup.exe	74
PID 4728 wrote to memory of 208	4728	setup.exe	74
PID 4728 wrote to memory of 4580	4728	setup.exe	75
PID 4728 wrote to memory of 4580	4728	setup.exe	75
PID 4728 wrote to memory of 4580	4728	setup.exe	75

C:\Users\Admin\AppData\Local\Temp\e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe
"C:\Users\Admin\AppData\Local\Temp\e197e681b996043da9348f3f06f137f3c2202546ec4217a5b53823ae12b5c823.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\7zSCF308D57\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCF308D57\setup.exe --server-tracking-blob=ZTUxNDJmOGU1ZTc4NmUzMDQ2MGI3NjBlZDU3MjEyYjFjNDZiOTNjMzhhMTQ5MTFhNjUyN2YzY2U5MWM0ZThiYTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPXBiJnV0bV9zb3VyY2U9Y2luc3QmdXRtX2NhbXBhaWduPU9wZXJhX0Rlc2t0b3AmdXRtX2NvbnRlbnQ9NWQ3NzZmZmE0ZDQ4OF8mdXRtX2lkPTM0czRmOGs2SmtDR1JoSEppRWY0aU0iLCJ0aW1lc3RhbXAiOiIxNzE5MDAyMjQ2LjkzNTgiLCJ1dG0iOnsiY2FtcGFpZ24iOiJPcGVyYV9EZXNrdG9wIiwiY29udGVudCI6IjVkNzc2ZmZhNGQ0ODhfIiwiaWQiOiIzNHM0ZjhrNkprQ0dSaEhKaUVmNGlNIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJjaW5zdCJ9LCJ1dWlkIjoiNDUzYmQ2ODItZTk4MS00MzlkLWEwMWMtNjE1MTExOTJjNmYwIn0=
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\7zSCF308D57\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSCF308D57\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x30c,0x310,0x314,0x2e8,0x318,0x73c1a128,0x73c1a134,0x73c1a140
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCF308D57\setup.exe

Filesize
5.2MB

MD5
6a39877aba485cd09c090e4e24f53de6

SHA1
ada29b30d665203b7e6cda8f1b6114699ba472a7

SHA256
2daba944e443aea09f4d50a0ac5ea2a6bb85b6f861c83c1bbd284e6d81e8a7e3

SHA512
ecab25931ed2d985b396e62d5930dd5c7edc3c0835e3e3df3058197bb8800491a8ea13fc824935bcf187a848a29da176c7dd7dc8f43aaca108e17fed76dfb32c

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2406272326586264728.dll

Filesize
4.7MB

MD5
b05a49fe0b700420401974a62cea7be6

SHA1
1dec7981c1d5eab1952c69c512dcc3877241c82e

SHA256
12f8a3f3569cecd209e1a6e229e7e6c3d130ab1694fdf71c10d5e3b5154ba703

SHA512
34fc1e8a9e046400107ea0e1be1aeb7d1d8a5e71380733bbce0ac5d15ee9b58762b63f7de4591762b6a7c32f5be83122bbf757d3a88a6f78e6d2c06ffd596833

Download Submit