a336fa6b8f4ed976d9558605dd9e2f2e568d7ab34e6b04c626cde9617b93c0b3

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1b9a3c933f6effef76d8fdce9c12f0N.exe
Size

33KB
MD5

6f1b9a3c933f6effef76d8fdce9c12f0
SHA1

19ade1b3672c03362deb82d133783af0997b6ee2
SHA256

a336fa6b8f4ed976d9558605dd9e2f2e568d7ab34e6b04c626cde9617b93c0b3
SHA512

9d066ce1a4cca2bda289365eed6ce6d211f9ac5a4867fcda247ac779f1b69d8385cc3a08537344590804c467e55dba42aa52944b79e981b8af8dedc9de73b758
SSDEEP

192:CnuPSSRT/K36yFBvarOeJ1bKSAf7AlC+1lj8a1KVVVflkxIY9M6Qh/Ke0uc4W+xA:CU+fyyQ1KS0AC+1l91KldNAcZc1ncOVn

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	6f1b9a3c933f6effef76d8fdce9c12f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	opera_autoupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f1b9a3c933f6effef76d8fdce9c12f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera_autoupdater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 1788	3128	6f1b9a3c933f6effef76d8fdce9c12f0N.exe	87
PID 3128 wrote to memory of 1788	3128	6f1b9a3c933f6effef76d8fdce9c12f0N.exe	87
PID 3128 wrote to memory of 1788	3128	6f1b9a3c933f6effef76d8fdce9c12f0N.exe	87

C:\Users\Admin\AppData\Local\Temp\6f1b9a3c933f6effef76d8fdce9c12f0N.exe
"C:\Users\Admin\AppData\Local\Temp\6f1b9a3c933f6effef76d8fdce9c12f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opera_autoupdater.exe

Filesize
33KB

MD5
1c32b4b4309761ebdaed4b0f02470795

SHA1
7854e326f3ff260893338b37da2d2db4e7d65c95

SHA256
86a10eaeb479243b5a347ea93e31238c1bc07f93aa4499481fc0d6bb21d96cb5

SHA512
1967993ed9dcf8202f9187c0bbda28b020fbd423c8c34efb00a9c62e0e07500387a89f02ac4a8de0beae27fcabd4946aa0a82a801eb012f0b024b189df8be95c

Download Submit
memory/1788-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1788-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3128-0-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3128-1-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download