Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 01:39
Behavioral task
behavioral1
Sample
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe
Resource
win10v2004-20241007-en
General
-
Target
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe
-
Size
932KB
-
MD5
19eb4feed67a15713b756b0335a308ed
-
SHA1
9e3166f1040cd8345df21a48c630c4a0f4ac3c87
-
SHA256
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4
-
SHA512
f667afc5f62cdf4a241cf5f53a40b95393a8d5731e982dc3ad55a0366da38c74495d4cd22f05ecb95e302b09850ebade9684ef228ae3a83b7e3acd7cf1bc90d0
-
SSDEEP
24576:G9T4MROxnFE3GrXpErZlI0AilFEvxHiKW:G90MiukpErZlI0AilFEvxHi
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
WindowsInput.exeWindowsInput.exeOperaWatchdog.exeOperaWatchdog.exepid process 2772 WindowsInput.exe 604 WindowsInput.exe 1988 OperaWatchdog.exe 3068 OperaWatchdog.exe -
Drops file in System32 directory 3 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exeWindowsInput.exedescription ioc process File created C:\Windows\SysWOW64\WindowsInput.exe e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
OperaWatchdog.exeOperaWatchdog.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaWatchdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaWatchdog.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exeOperaWatchdog.exepid process 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe 3068 OperaWatchdog.exe 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exeOperaWatchdog.exeOperaWatchdog.exedescription pid process Token: SeDebugPrivilege 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe Token: SeDebugPrivilege 1988 OperaWatchdog.exe Token: SeDebugPrivilege 3068 OperaWatchdog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exepid process 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exepid process 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.execsc.exetaskeng.exee02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.execsc.exeOperaWatchdog.exedescription pid process target process PID 1588 wrote to memory of 1052 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 1588 wrote to memory of 1052 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 1588 wrote to memory of 1052 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 1052 wrote to memory of 2800 1052 csc.exe cvtres.exe PID 1052 wrote to memory of 2800 1052 csc.exe cvtres.exe PID 1052 wrote to memory of 2800 1052 csc.exe cvtres.exe PID 1588 wrote to memory of 2772 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe WindowsInput.exe PID 1588 wrote to memory of 2772 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe WindowsInput.exe PID 1588 wrote to memory of 2772 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe WindowsInput.exe PID 2824 wrote to memory of 2748 2824 taskeng.exe e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe PID 2824 wrote to memory of 2748 2824 taskeng.exe e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe PID 2824 wrote to memory of 2748 2824 taskeng.exe e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe PID 2748 wrote to memory of 2668 2748 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 2748 wrote to memory of 2668 2748 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 2748 wrote to memory of 2668 2748 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe csc.exe PID 2668 wrote to memory of 1404 2668 csc.exe cvtres.exe PID 2668 wrote to memory of 1404 2668 csc.exe cvtres.exe PID 2668 wrote to memory of 1404 2668 csc.exe cvtres.exe PID 1588 wrote to memory of 1988 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe OperaWatchdog.exe PID 1588 wrote to memory of 1988 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe OperaWatchdog.exe PID 1588 wrote to memory of 1988 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe OperaWatchdog.exe PID 1588 wrote to memory of 1988 1588 e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe OperaWatchdog.exe PID 1988 wrote to memory of 3068 1988 OperaWatchdog.exe OperaWatchdog.exe PID 1988 wrote to memory of 3068 1988 OperaWatchdog.exe OperaWatchdog.exe PID 1988 wrote to memory of 3068 1988 OperaWatchdog.exe OperaWatchdog.exe PID 1988 wrote to memory of 3068 1988 OperaWatchdog.exe OperaWatchdog.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe"C:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trb2s6gz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DC0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8DBF.tmp"3⤵PID:2800
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772
-
-
C:\Users\Admin\AppData\Roaming\OperaWatchdog.exe"C:\Users\Admin\AppData\Roaming\OperaWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe" 1588 /protectFile2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\OperaWatchdog.exe"C:\Users\Admin\AppData\Roaming\OperaWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe" 1588 "/protectFile"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8CEBB340-90FB-4CEE-980C-DD0F0A5084A6} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exeC:\Users\Admin\AppData\Local\Temp\e02850224e42be3bb2e7de2eccbab2fea66c18a4ee309532ca5e59350d68eae4.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8zc8xpz0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91D4.tmp"4⤵PID:1404
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD591dfd2d3f3bae2d70dac9799eaf74698
SHA1927d79ceec515551eab22ea76a7f1dac656d2e30
SHA2564c47ce618f6706065aaaca4fe36005d715a78020454985ca88f8553d787b22ce
SHA512384f1072f4435cdfb8ec3614ffcad10b2261eead291aee86cd1747e753e177a9599ed41c03c531e72f2cf94cbf8adc73930a387ff3e0a65a04c1b16289bdc4e5
-
Filesize
1KB
MD5401d434e62085166be2c9d146091ff32
SHA1fb00d6f7ead93f05daf91e641d47012a5a33295c
SHA256640a7ed29992d2219e84ae673316c2a0c66e708c016e8d8830db8107f9b82ba9
SHA5125db566a32dc153cab06ebabc4a3db557a9a5d5335419d3b15a09cc8dec161ce36c7c860f5aa92be4fbba90538a6f3cb3a4bd2fc195f027c8261b0ec36236cfc8
-
Filesize
1KB
MD59c9eec21c30110bf0d80feccc4ead380
SHA1d237f06163937293c3bf866f8fd4ee3db073230d
SHA256d2ed4048cf2ca5861459109c943be18c9618d059c27f20653cec9ce3255bbbed
SHA512daade81976604f4163290b06c17cd4ad49914e8e184e1aeb295164f449d49e5b7fb1a28192209fa7cd450aee0b855793b503d25afda00874deb2600c034c4d91
-
Filesize
76KB
MD57ba6b2dc45d57c09da8d03f877af476f
SHA19000c66acb3ca213d2f83c2d57c98b4fcc46c5f7
SHA25617708448168f0f85f26b1b0982bf282268e6354726c302f4877479bef2f958e9
SHA51279d323bd5733dde5d9e5727405f29738ec1137f8e15cafdb07208fecefdbc69146904e67aba6dd0296af9a2d9de17c7e892b4ca25a928f839d77c12f4111bf09
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
349B
MD51c856e01bc351be2b55f4039fb274f77
SHA1ab709950e2514ff4c46047a43b30ef5d7b355973
SHA25633bb84dae805a7e504960929df0ae4eaf6ace793b1b898b0d06a73caac3d86cb
SHA5127e6ee5df05fb9e1e16e7fa5745ce6e4f4c8e4c65526c4623077c8b6dd1b72de6aab5f16ec61b88cb5b8edf8ddb501872b2acb516983093daf26f81520729c48f
-
Filesize
676B
MD5897f7bb7e2fba8ae5910d47b36e178a8
SHA183f4bf40c596f1fe26cbb38bad9e5945d9e9e4ce
SHA25666fdc61dde2407211f8aa7ee85a288d87a1cd3d066a42cabda978251fcfddf43
SHA51255f82011f138813ed688d763fe623213ec043707e7e8cee95f39e8f537b00bc513639a6a9ce97eb44ed7a612ab1aeb9374d174ca76f696fa7536453cee774dad
-
Filesize
676B
MD5e72619d80717c76d2f71fc762680bf1e
SHA1aa202acda5635c385f94709f0cf9ac43a22fae28
SHA256d02e56babf536040e95bd01edf80b3c4972dedaec8be1acf20516f6a390cc82e
SHA512487b411ce34e530630152935a333ecc5ba2bb77ee5afdbdcc16eaf5bf236517168dd312e790ca45e8c4026b2ba9c05ff21c7ad921a985558edcd55021cb2ff30
-
Filesize
208KB
MD52b14ae8b54d216abf4d228493ceca44a
SHA1d134351498e4273e9d6391153e35416bc743adef
SHA2564e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA5125761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05
-
Filesize
349B
MD5f151dd8df0bdacff442f346566714e8b
SHA127049d0c081302f9c9f166849ad18650ffdf76c7
SHA256a79228775b3ec3aa2f9db9808d7e1a9a7a785499e0bbb5b31e61946041c3e9c3
SHA512298f3a9340964ec0087adf548bc7daf3c6ba28a05eb3123457e796abc020f9f8b8f8ba1b4cc5b4bd72c445274dada05b80fd9bbab662620873c753d40db07abd