db40e694d26ae2fefa4f9c90575ac7a2a4fe457159fd94194143929fc9c0fb0f

Resubmissions

01/08/2023, 16:42

230801-t734eaag2w 8

01/08/2023, 16:38

230801-t5nkyaaf6w 8

01/08/2023, 16:35

230801-t33l3saf3t 8

01/08/2023, 16:09

230801-tl6meahd46 8

Analysis

max time kernel
8s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

3.2MB
MD5

59a68ed68edc9f9fb64fd21632b488ee
SHA1

806dc1ccf066bc479baf091dbc549b6b7dabd976
SHA256

db40e694d26ae2fefa4f9c90575ac7a2a4fe457159fd94194143929fc9c0fb0f
SHA512

5043a093ddbadd46dad82dd5e7ea5c47133abc4ea11e6ecf6597ac90639909c7c8d0fa797800839b6e122f3a154400fb7ec37fd95e1b3ad669e48c75a84d796a
SSDEEP

98304:s5yfepuZjCcglpcQSkgOT8lOC+ctUMz6ln7RK8UkLEqdGAHqLjDAKNqG:ZVscgrcQSkg0pJwioqdGvNqG

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4180	installer.exe

Loads dropped DLL 3 IoCs

pid	Process
2888	installer.exe
4464	installer.exe
4180	installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2888-133-0x0000000000400000-0x00000000008F6000-memory.dmp	upx
behavioral2/memory/4464-138-0x0000000000400000-0x00000000008F6000-memory.dmp	upx
behavioral2/files/0x00070000000231e9-147.dat	upx
behavioral2/memory/4180-152-0x0000000000400000-0x00000000008F6000-memory.dmp	upx
behavioral2/memory/5004-168-0x0000000000400000-0x00000000008F6000-memory.dmp	upx
behavioral2/memory/824-163-0x0000000000400000-0x00000000008F6000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	installer.exe
File opened (read-only)	\??\F:	installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	installer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 4464	2888	installer.exe	86
PID 2888 wrote to memory of 4464	2888	installer.exe	86
PID 2888 wrote to memory of 4464	2888	installer.exe	86
PID 2888 wrote to memory of 4180	2888	installer.exe	87
PID 2888 wrote to memory of 4180	2888	installer.exe	87
PID 2888 wrote to memory of 4180	2888	installer.exe	87
PID 2888 wrote to memory of 824	2888	installer.exe	92
PID 2888 wrote to memory of 824	2888	installer.exe	92
PID 2888 wrote to memory of 824	2888	installer.exe	92

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=82.0.4227.25 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0x758df568,0x758df578,0x758df584
  2⤵
  - Loads dropped DLL
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4180
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --server-tracking-data=server_tracking_data --initial-pid=2888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20230801163708" --session-guid=c4c5a60f-9510-4d3b-a232-1984357d5ba4 --server-tracking-blob="NTQyNzBiMTU3YzIyOGE5ZWUxZjU4Yzg5Y2RhYTViZTM0OTc3ZWEzMWIwYmRiZTFiYjE2NDYyMjMwZjllMDg5Zjp7ImNvdW50cnkiOiJQTCIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3RyeWFnYWluPXllcyZ1dG1fc291cmNlPWVnc192aWFfb3BlcmFfY29tJnV0bV9tZWRpdW09dHAmdXRtX2NhbXBhaWduPWVnc192aWFfb3BlcmFfY29tX2h0dHBzJiYmaHR0cF9yZWZlcnJlcj1taXNzaW5nX3ZpYV9vcGVyYV9jb20mdXRtX3NpdGU9b3BlcmFfY29tJiZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tL2d4JmRsX3Rva2VuPTk2NTAxMjYzIiwidGltZXN0YW1wIjoiMTYzOTU2NjkxNy41NzE5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzk3LjAuNDY5Mi4yMCBTYWZhcmkvNTM3LjM2IE9QUi84My4wLjQyNTQuNSAoRWRpdGlvbiBiZXRhKSIsInV0bSI6eyJjYW1wYWlnbiI6ImVnc192aWFfb3BlcmFfY29tX2h0dHBzIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZ3giLCJtZWRpdW0iOiJ0cCIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJlZ3NfdmlhX29wZXJhX2NvbSIsInRyeWFnYWluIjoieWVzIn0sInV1aWQiOiJhMzNmZDc4Ny05MzE2LTQxNjMtYmFlYS1kMTFkYjE1Nzc4NzUifQ== " --desktopshortcut=1 --wait-for-package --initial-proc-handle=4806000000000000
  2⤵
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\installer.exe
    C:\Users\Admin\AppData\Local\Temp\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=82.0.4227.25 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x72e5f568,0x72e5f578,0x72e5f584
    3⤵
    PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\installer.exe

Filesize
3.2MB

MD5
59a68ed68edc9f9fb64fd21632b488ee

SHA1
806dc1ccf066bc479baf091dbc549b6b7dabd976

SHA256
db40e694d26ae2fefa4f9c90575ac7a2a4fe457159fd94194143929fc9c0fb0f

SHA512
5043a093ddbadd46dad82dd5e7ea5c47133abc4ea11e6ecf6597ac90639909c7c8d0fa797800839b6e122f3a154400fb7ec37fd95e1b3ad669e48c75a84d796a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308011637057792888.dll

Filesize
4.5MB

MD5
71e26af0e69c4fd27b7675f3777c4102

SHA1
a69f8fd49847d62470b7110594077cec4cb676a0

SHA256
af1ba3b65c4880dbf578bb2cb672275328540aa66708217a8f91a5c8711def74

SHA512
18ac3e2e565131cd11d8e36523d83caded2d9496ab30d74f6d74c6d1e9f88c224859f7de027c673441de0eee57170bf00db989203d819d860c3d5fdf4f422a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308011637067484464.dll

Filesize
4.5MB

MD5
71e26af0e69c4fd27b7675f3777c4102

SHA1
a69f8fd49847d62470b7110594077cec4cb676a0

SHA256
af1ba3b65c4880dbf578bb2cb672275328540aa66708217a8f91a5c8711def74

SHA512
18ac3e2e565131cd11d8e36523d83caded2d9496ab30d74f6d74c6d1e9f88c224859f7de027c673441de0eee57170bf00db989203d819d860c3d5fdf4f422a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308011637077174180.dll

Filesize
4.5MB

MD5
71e26af0e69c4fd27b7675f3777c4102

SHA1
a69f8fd49847d62470b7110594077cec4cb676a0

SHA256
af1ba3b65c4880dbf578bb2cb672275328540aa66708217a8f91a5c8711def74

SHA512
18ac3e2e565131cd11d8e36523d83caded2d9496ab30d74f6d74c6d1e9f88c224859f7de027c673441de0eee57170bf00db989203d819d860c3d5fdf4f422a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308011637077174180.dll

Filesize
4.5MB

MD5
71e26af0e69c4fd27b7675f3777c4102

SHA1
a69f8fd49847d62470b7110594077cec4cb676a0

SHA256
af1ba3b65c4880dbf578bb2cb672275328540aa66708217a8f91a5c8711def74

SHA512
18ac3e2e565131cd11d8e36523d83caded2d9496ab30d74f6d74c6d1e9f88c224859f7de027c673441de0eee57170bf00db989203d819d860c3d5fdf4f422a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_230801163713359824.dll

Filesize
1.6MB

MD5
326705cdb9fe2aa4b3bce009c1b6d1c4

SHA1
8a4aa94cd2bc2e8c4ae8922ce55e48d84fa51a13

SHA256
67660ec287e82a0e113f061cb2f2c17d4de381b018e200a5e32271a5d3f86d07

SHA512
eba66e613ebc489a23b3ab296b0c51377115431ac1a7b8eebab3d32c0e0a8f7c8bc918ddf024a45b429bf32225995f8ad5a3c36eebc22b3549782acde91217b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308011637136095004.dll

Filesize
1.5MB

MD5
b5d9b579086a188adf9a195356989231

SHA1
bbd9b1a63ad4d944280b9d3c6de669353df0ef31

SHA256
f391c879c7a1ec8709e6500a62a388231d4a88053bda4298ef8ec919b6b6bc08

SHA512
e86fb6e859fbc89782255f2809b40a543c9354659b067550f0cf294159173270699562ae00de45a54c4244d06a79d484459d777964a725c4f1dc1e28bd96d6fd

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c61321f0762e34f60185faa90db0b182

SHA1
f350ac81f49d6d49e1ea31df6a042fa0de1a17e3

SHA256
3f8425de8f4b0a03dfaaa381df26491f62f27df5c677bd06f1b193807c052302

SHA512
06e653b54a47f8467898b04727ee7e6ef82a0f9c5a40a7871762d06938a7157635a62a0590bbb6e6ae1179b5aecece4ef50ba22fc833f61b66001d5b00b988fd

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c61321f0762e34f60185faa90db0b182

SHA1
f350ac81f49d6d49e1ea31df6a042fa0de1a17e3

SHA256
3f8425de8f4b0a03dfaaa381df26491f62f27df5c677bd06f1b193807c052302

SHA512
06e653b54a47f8467898b04727ee7e6ef82a0f9c5a40a7871762d06938a7157635a62a0590bbb6e6ae1179b5aecece4ef50ba22fc833f61b66001d5b00b988fd

Download Submit
memory/824-163-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/2888-133-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/4180-152-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/4464-138-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/5004-168-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download