f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50

General

Target

f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
Size

3.3MB
MD5

e630f3b42b50717dee44021d819cbf7a
SHA1

165e80ae5ed29d4f0c657f5fec5a1e79497944ce
SHA256

f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50
SHA512

5b01a4db84e41986bb5c6539081b5348b9c0d2e7915ac507fefcae5a0e585b0a0fb5857d9e875852190e15418ca76b699e750594faaa3f17a937f6352995d73d
SSDEEP

98304:UMYtValhRO6wXbsJ1PW6x0MB4vwewRPeDa8JjioPjTvu:wtVapO6w++6Khv2E7PjT2

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1764	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Loads dropped DLL 3 IoCs

pid	Process
5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
3388	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
1764	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5028-1-0x00007FF742350000-0x00007FF74299A000-memory.dmp	upx
behavioral2/memory/3388-5-0x00007FF742350000-0x00007FF74299A000-memory.dmp	upx
behavioral2/files/0x000600000002310f-13.dat	upx
behavioral2/memory/1764-15-0x00007FF7A7F20000-0x00007FF7A856A000-memory.dmp	upx
behavioral2/memory/1764-19-0x00007FF7A7F20000-0x00007FF7A856A000-memory.dmp	upx
behavioral2/memory/5028-35-0x00007FF742350000-0x00007FF74299A000-memory.dmp	upx
behavioral2/memory/3388-36-0x00007FF742350000-0x00007FF74299A000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
File opened (read-only)	\??\F:	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3388	5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe	86
PID 5028 wrote to memory of 3388	5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe	86
PID 5028 wrote to memory of 1764	5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe	87
PID 5028 wrote to memory of 1764	5028	f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe	87

C:\Users\Admin\AppData\Local\Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
"C:\Users\Admin\AppData\Local\Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
  C:\Users\Admin\AppData\Local\Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Crypto Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Crypto Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopCrypto --annotation=ver=90.0.4480.128 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x7fff63807470,0x7fff63807480,0x7fff63807490
  2⤵
  - Loads dropped DLL
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Crypto Installer Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Crypto Installer Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Crypto Installer Temp\f87a0703ae19b66486e4d9d8e87308dc3d33c10ab242517c3311cdd1073e0f50.exe

Filesize
1.9MB

MD5
74e3c89fdfd2b14cd5fbfa79862b41d2

SHA1
3d55c4ef60753e992d731fb392b06056ffe915df

SHA256
fcd6e8bb686ce2ad27a2d69386529d8b4bbf175fad6d09851548b6022e8726f7

SHA512
00991ce96428231ccc65b2b09b020cf9aac073ab8b7e7554a341068511310c639368aa64c13c4342c5a0c9754fe6021dd56b2db89f20cbe2a2379374b7350c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Crypto Installer Temp\opera_package_202402241236261\opera_package

Filesize
320KB

MD5
026e364521b22b899fafefe63434af8c

SHA1
00460a17afd56ce8ec29f96dce8db0316830a513

SHA256
917dbfce71f780822034cb0d97cfd79b681927627b51fa40333f558dab831eb3

SHA512
b6772a32b6643cd9eb9241b9c3c1fb9404fee9f55c08148bac951bb041d8128194b22e75001ebe4faa7cdbd30bcff6d8b10eccaf08a27d45369ac78e5ad46855

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402241236230845028.dll

Filesize
2.4MB

MD5
c5e7c483a60786418faec9115ab0ad8b

SHA1
8938a8c303047c21212eff558d2557c98d7bb70f

SHA256
c7ac2a6a23721b7c37241273d9c8daf3803d71dfde0250f60455b856aeea7a3a

SHA512
858846b5135921ecbf37ba993dc4d7df097b607337e1b680b2fa788b938d98e5d7f1623cde1b03ed03ec890fa50ec2c24068642b8edf3821b30acca64cdd56be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402241236234753388.dll

Filesize
95KB

MD5
ca26544882e8eef00588cd94caac58b3

SHA1
164cb376734882f8c8a0bdb239dcdb609773c421

SHA256
9056018bc3b6623e463c7a49063734468dfda8657c8939c5d31aa7d4557aed31

SHA512
fb9c095d51f1a3a9f67ffba62f4112dccdd08378ce791129d191c69864f3c61447972a260b5f9775990d5c48b1bf512128269e1dfe050b05353e5fcc076ebded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402241236256471764.dll

Filesize
1.9MB

MD5
eaccde1dcf96f9f888ff423cdb2a31d7

SHA1
0b1a42cf8bb41a2ae6c53ac13274181f720ca8f9

SHA256
db711ff6fa2748768ffc58dce483a8e3d0967dbcf5ebd40089c431c7b7f5601d

SHA512
904861d45ead68b5fdc95c719bd4efa37c9ff295e13f4cb4a3c5e3b3bec892c6ebb7ee0af386f775524ec1811bc59ef9354cfc1248e58f5507eddeb32b179cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402241236256471764.dll

Filesize
1.6MB

MD5
79225501272d1ecf341dc377e54c48ed

SHA1
a61b8de3bb980a7b2e7a01c14ff825170e0a44c2

SHA256
a20b681eb2e8ac83e66f6c9b3b2601e94a7d9ee397855fefbfcb61bc55184593

SHA512
2a9e8a883266c71d89349dac0380defdc0e957547bc88048bf167a0eb3fe723829d5ead42e87f690c74f32d099106541a38448316d23ce27e886eeef57c8ea18

Download Submit
memory/1764-15-0x00007FF7A7F20000-0x00007FF7A856A000-memory.dmp

Filesize
6.3MB

Download
memory/1764-19-0x00007FF7A7F20000-0x00007FF7A856A000-memory.dmp

Filesize
6.3MB

Download
memory/3388-5-0x00007FF742350000-0x00007FF74299A000-memory.dmp

Filesize
6.3MB

Download
memory/3388-36-0x00007FF742350000-0x00007FF74299A000-memory.dmp

Filesize
6.3MB

Download
memory/5028-1-0x00007FF742350000-0x00007FF74299A000-memory.dmp

Filesize
6.3MB

Download
memory/5028-35-0x00007FF742350000-0x00007FF74299A000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing