a95442dc0471e48525a794d426cb968a76ededdd0bc4684a70b366ef09772108

General

Target

OperaSetup.exe
Size

2.7MB
MD5

32a164c7440f0cea2923b544d0a169df
SHA1

c536227be3d6df4ad5d06cdccd5212eff6cfd988
SHA256

a95442dc0471e48525a794d426cb968a76ededdd0bc4684a70b366ef09772108
SHA512

4c6339da012fe13c1d95b4e1daddc2d0cdde5c61ef2ed0369438cd4fb4234d465f2879acaad3d5f01a4ace667828c6d69837ea1a4c68d4e8267373746aec44ef
SSDEEP

49152:nBTG7j5EFGJwXYK3hcHvqO4Vf6X9dDbqhXxp+2V8VqSK6j0bLlH:dKj5scbqxx6XPbqhXxrSK6j0nlH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
864	OperaSetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	OperaSetup.exe
1984	OperaSetup.exe
2020	OperaSetup.exe
864	OperaSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c38-59.dat	upx
behavioral1/files/0x0006000000015c38-61.dat	upx
behavioral1/memory/2020-62-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1984-64-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/864-68-0x0000000000400000-0x0000000000947000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 1984	2020	OperaSetup.exe	27
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28
PID 2020 wrote to memory of 864	2020	OperaSetup.exe	28

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x188,0x18c,0x190,0x15c,0x194,0x7450e428,0x7450e438,0x7450e444
  2⤵
  - Loads dropped DLL
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
32a164c7440f0cea2923b544d0a169df

SHA1
c536227be3d6df4ad5d06cdccd5212eff6cfd988

SHA256
a95442dc0471e48525a794d426cb968a76ededdd0bc4684a70b366ef09772108

SHA512
4c6339da012fe13c1d95b4e1daddc2d0cdde5c61ef2ed0369438cd4fb4234d465f2879acaad3d5f01a4ace667828c6d69837ea1a4c68d4e8267373746aec44ef

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
32a164c7440f0cea2923b544d0a169df

SHA1
c536227be3d6df4ad5d06cdccd5212eff6cfd988

SHA256
a95442dc0471e48525a794d426cb968a76ededdd0bc4684a70b366ef09772108

SHA512
4c6339da012fe13c1d95b4e1daddc2d0cdde5c61ef2ed0369438cd4fb4234d465f2879acaad3d5f01a4ace667828c6d69837ea1a4c68d4e8267373746aec44ef

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2302050454385982020.dll

Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2302050454390721984.dll

Filesize
4.6MB

MD5
914ec7fb3d69e977440248ef30323636

SHA1
2aa31e599769f34d0cb6e979947ca5728db9b009

SHA256
528117e7c698fbe7ad3036aef77f99ab8af74316def7a4ba60f738c40168c203

SHA512
ff62901ffe79bbc8ffe6cce3efc8f13e71f13a41772b8d0180614b6ba80d5b9db1094a97cf3d239057dca2efdd7b0adc217f3ddce5111267c50ec9d0d1125b3a

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230205045439701864.dll

Filesize
1.6MB

MD5
2f8c12dda03aebaa6ca96b8d44084324

SHA1
fd8999ab1d4d7c77e755872ed1708ca24d710731

SHA256
c93fd73a4aba627343563ef3aae57f81d716b35f181fdd99efb0cfae59948c46

SHA512
c33c6b2b0ce92bf99d1f00c040ea986ed0274000c260cc537d499cf41f37e9edee0ce1587ce12c806b179ae046a2cf97f5157a3ace465b97957a297f1692da6d

Download Submit
memory/864-60-0x0000000000000000-mapping.dmp

Download
memory/864-68-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1984-64-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/2020-63-0x0000000002890000-0x0000000002DD7000-memory.dmp

Filesize
5.3MB

Download
memory/2020-62-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2020-65-0x0000000003350000-0x0000000003897000-memory.dmp

Filesize
5.3MB

Download
memory/2020-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing