b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5

General

Target

b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Size

5.1MB
MD5

12437ef6de9ccda2303cfb6b0d38c2b6
SHA1

df64e2bc7809a543fbde1b225176736b49e6fbe2
SHA256

b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5
SHA512

3f14cb200e5da8973aa6972e9533c453657dcd52bd5a76b9394a2b01291e691ef61d2c13998a5ee032483d6c9e5cbbe052ab8675b7b85a38cad7ed8fd42cea64
SSDEEP

98304:z0NFA6666666666666666666666666666666x666666666666666fwwwwwwwwwwV:hPMki6zio75L3pf3dedO4keCIwkoYbg1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4216	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
2036	Assistant_112.0.5197.30_Setup.exe_sfx.exe
4828	assistant_installer.exe
1396	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
1960	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
4216	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
4828	assistant_installer.exe
4828	assistant_installer.exe
1396	assistant_installer.exe
1396	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
File opened (read-only)	\??\F:	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_112.0.5197.30_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1960	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	92
PID 3972 wrote to memory of 1960	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	92
PID 3972 wrote to memory of 1960	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	92
PID 3972 wrote to memory of 4216	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	94
PID 3972 wrote to memory of 4216	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	94
PID 3972 wrote to memory of 4216	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	94
PID 3972 wrote to memory of 2036	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	96
PID 3972 wrote to memory of 2036	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	96
PID 3972 wrote to memory of 2036	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	96
PID 3972 wrote to memory of 4828	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	97
PID 3972 wrote to memory of 4828	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	97
PID 3972 wrote to memory of 4828	3972	b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe	97
PID 4828 wrote to memory of 1396	4828	assistant_installer.exe	98
PID 4828 wrote to memory of 1396	4828	assistant_installer.exe	98
PID 4828 wrote to memory of 1396	4828	assistant_installer.exe	98

C:\Users\Admin\AppData\Local\Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
"C:\Users\Admin\AppData\Local\Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
  C:\Users\Admin\AppData\Local\Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x74c2e1d0,0x74c2e1dc,0x74c2e1e8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.30 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xd68f40,0xd68f4c,0xd68f58
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4608,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5.exe

Filesize
5.1MB

MD5
12437ef6de9ccda2303cfb6b0d38c2b6

SHA1
df64e2bc7809a543fbde1b225176736b49e6fbe2

SHA256
b7da66a18e8a265e5a63796f7584fdc6564d805c1af8e04cbb3eff6c3b2cb7c5

SHA512
3f14cb200e5da8973aa6972e9533c453657dcd52bd5a76b9394a2b01291e691ef61d2c13998a5ee032483d6c9e5cbbe052ab8675b7b85a38cad7ed8fd42cea64

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\additional_file0.tmp

Filesize
2.6MB

MD5
1bf64fd766bd850bcf8e0ffa9093484b

SHA1
01524bb2c88b7066391da291ee474004a4904891

SHA256
58794b1bf4d84bd7566ee89fd8a8a4157dc70c598d229ec5101959f30b6f3491

SHA512
cdf2830edc5d4f30beae41591f3a1bcff820f75444d70338a4c6d36e10df43475f383a9f291b619a008452c53e0dddf65547f217386389000535d6d264854e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
9afe96db501220cf42b262fdac954dc8

SHA1
d3471998f674b267256e72a30977a79abcd8fca9

SHA256
fc5608bf95bb02e889aa9be15abc5c066acd62ba07f886b323383e75909a2566

SHA512
ecff52ca7467e3948faa244c1fc7c3d4d1f1dbe74077d071b78147729a078cc6a676212e0606111edcf542d554045c4f5a4d502545b2f0a285cda6c5d0b69b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\dbgcore.dll

Filesize
166KB

MD5
e0274730d20eb9571d59f2da20d165a2

SHA1
b746aeca5f7cbee0de163309c9d207c94f9b8d64

SHA256
c5c4c6430bcfe6118a4f499c94afa460401e369dc548a24688532c95fd202ec5

SHA512
d95998b69e6c3d25037e12e038f2773960de2d18df1af0342fd805c7c349bd630a21d0e0fe7490baaf274e90781ebf6a2667e64593f9d91174d040bfe640bddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408080703371\assistant\dbghelp.dll

Filesize
1.7MB

MD5
6e9976cc7b2def7a37106703e47626a5

SHA1
edcb4758f8ee56e9c6515f912d5024aeca9ead50

SHA256
fd8840fab4b61db4e9e09168e5b1b4f0e9bfea0a64482fd475ab63c712b92b9c

SHA512
27091e6ad001dac22897a295806925e02f693096d79667e587de74ca955ffb9b2773b22c83e306e7164862524e02ad028e68684c2ca7d9e4da1ff03787dd40ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408080703364413972.dll

Filesize
4.6MB

MD5
117176ddeaf70e57d1747704942549e4

SHA1
75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b

SHA256
3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af

SHA512
ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
8c0ec5bc7b0c5615405d1b61be9636cc

SHA1
dfb4017b012f305cdf470c3d629f35816ba37268

SHA256
d1b7e4e13e43351a921100d0ed262e08251efe38c54b2d671354fd1faf8c8f91

SHA512
df6f6c200bedfe9a8d3d53fcd94fc9cb4bbcb1b3b6ca0543a24f760629834d358e84254ec1fd7c1fbfa82002cd20052f85d7899a4a6015c092292370fb37b409

Download Submit

Analysis

Sharing