hxxps://desktop-netinstaller-sub[.]osp[.]opera[.]software/v1/binary

Analysis

max time kernel
299s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://desktop-netinstaller-sub.osp.opera.software/v1/binary

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133334849209397904"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
1240	chrome.exe
1240	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3000	3828	chrome.exe	81
PID 3828 wrote to memory of 3000	3828	chrome.exe	81
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4960	3828	chrome.exe	86
PID 3828 wrote to memory of 4460	3828	chrome.exe	87
PID 3828 wrote to memory of 4460	3828	chrome.exe	87
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90
PID 3828 wrote to memory of 5024	3828	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://desktop-netinstaller-sub.osp.opera.software/v1/binary
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff265f9758,0x7fff265f9768,0x7fff265f9778
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3916 --field-trial-handle=1888,i,9682013465483563125,10753890468335877152,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9be1215a-5f07-48cc-9502-9e5efb9e061e.tmp

Filesize
15KB

MD5
cddf6247198971113df7658eb96c96db

SHA1
d329b6c03e6a79dfb2cc53e35e50138499b0c4b0

SHA256
7e5f575b680e8d58ab8260405304a3d1a27c25bfd96437ddae44fd61467002f9

SHA512
e76bd412b3ae373d9666a6e5255c550b672caf119b9816f23a1c7013661064f52868859083127c12452eefe3d99bd242748dd1c82ac3c6ff86516de018c6358d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f3e8c4dce1742e80ce6464eea5f6451f

SHA1
233da72515678ab93bcc6712a05d390037a8d327

SHA256
a4b35bea365f9e5c95fbaac79ba413b58b5c90bc0b10d87ece31736507d9a181

SHA512
635981650ad0f62792750a6ae79c82643f3b1836e70ea25a4b28e4afe64a4ec720aa7e3880db9e5bf39c53d324fada2f387f3f7ed411a615fbde72662b00e239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d203abaeee6ba86a05c52e2999a9e458

SHA1
9b491c78f4c33ab14d35ed223050d656f1162579

SHA256
e0d70dd63c5ab733aa3830573dcfcc938bf9c22d95471fac676d4a212281a7d4

SHA512
d9689c30c401c5fc7ff664fdccbeeed874d20ffd40021782f540cc4e91010e0c882380aa49158a939c119d5097fe503f66b4ca134855d24282dada60871fe2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f1bf22324d71b30853f9d29eb8cb5a89

SHA1
1df27acb22d77427a5043b0ebd16dc961c0a9275

SHA256
274dbbec775ee2a8c4587a48961bb6eadc345b8fa218516faf79ad26d7d4155b

SHA512
89e0ca62a5d37d454bb0d7b2ebb59636483fefd56014a71191ddc0fcd71350db94a531f5073be72c25cf2ebb7de1d3de2e74cf3e4bf92092148594151143468e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
62cef0e01f8a05e981a3a4410cd5662a

SHA1
6fb2739fd14f73c509f6cfa58598de379e73fac7

SHA256
218b0ec71465d49674da6060c1024ca1a35846dc4c1ab7e06336f2e5b67bf1cd

SHA512
1d2d310cb15bdb3f52e0e4f2d818db7d69ded8fd15f967b8674f1fe6bf1620eac85933d1323d2113546ea25a3908fbe586b4ef12750518cbb68396ca1b0fcc05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit