ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750

Resubmissions

05/03/2024, 20:45

240305-zjqfasgh5w 8

05/03/2024, 20:41

05/03/2024, 20:40

05/03/2024, 20:37

05/03/2024, 20:34

05/03/2024, 20:31

05/03/2024, 20:27

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.4MB
MD5

b16754e31096ff084460514287187a29
SHA1

149d9d7bc7bfa0ee218e55eb3778ea3cf6184dc7
SHA256

ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750
SHA512

86fad8a6ee5660aac5a0fa172d6094585793cc6b86996941211292a9e91fc2571c8fa807a3021561909c841491400991f152f18c8e1d247c663ff600643224f7
SSDEEP

98304:TWo5jp/vdcY8uC+gOhUL+byztZXlAuoVGmKeLEcjXXV9bA:TP59/VcYZCOW+bO+5Eo9c

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1484	OperaGXSetup.exe
4940	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
2576	assistant_installer.exe
3952	assistant_installer.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	OperaGXSetup.exe
1544	OperaGXSetup.exe
1484	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2032-1-0x00000000008E0000-0x0000000000EA1000-memory.dmp	upx
behavioral2/memory/1544-5-0x00000000008E0000-0x0000000000EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023230-12.dat	upx
behavioral2/memory/1484-14-0x0000000000F40000-0x0000000001501000-memory.dmp	upx
behavioral2/memory/1484-18-0x0000000000F40000-0x0000000001501000-memory.dmp	upx
behavioral2/memory/2032-36-0x00000000008E0000-0x0000000000EA1000-memory.dmp	upx
behavioral2/memory/1544-37-0x00000000008E0000-0x0000000000EA1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	OperaGXSetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1544	2032	OperaGXSetup.exe	89
PID 2032 wrote to memory of 1544	2032	OperaGXSetup.exe	89
PID 2032 wrote to memory of 1544	2032	OperaGXSetup.exe	89
PID 2032 wrote to memory of 1484	2032	OperaGXSetup.exe	90
PID 2032 wrote to memory of 1484	2032	OperaGXSetup.exe	90
PID 2032 wrote to memory of 1484	2032	OperaGXSetup.exe	90
PID 2032 wrote to memory of 4940	2032	OperaGXSetup.exe	102
PID 2032 wrote to memory of 4940	2032	OperaGXSetup.exe	102
PID 2032 wrote to memory of 4940	2032	OperaGXSetup.exe	102
PID 2032 wrote to memory of 2576	2032	OperaGXSetup.exe	103
PID 2032 wrote to memory of 2576	2032	OperaGXSetup.exe	103
PID 2032 wrote to memory of 2576	2032	OperaGXSetup.exe	103
PID 2576 wrote to memory of 3952	2576	assistant_installer.exe	104
PID 2576 wrote to memory of 3952	2576	assistant_installer.exe	104
PID 2576 wrote to memory of 3952	2576	assistant_installer.exe	104

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.37 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2cc,0x300,0x74e161e4,0x74e161f0,0x74e161fc
  2⤵
  - Loads dropped DLL
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x874f48,0x874f58,0x874f64
    3⤵
    - Executes dropped EXE
    PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
3.4MB

MD5
b16754e31096ff084460514287187a29

SHA1
149d9d7bc7bfa0ee218e55eb3778ea3cf6184dc7

SHA256
ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750

SHA512
86fad8a6ee5660aac5a0fa172d6094585793cc6b86996941211292a9e91fc2571c8fa807a3021561909c841491400991f152f18c8e1d247c663ff600643224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe

Filesize
1.5MB

MD5
9cf330ea745f0a8fd14de095078d7ed4

SHA1
4f1b6927e74b6f424db4423545c0a4e4f4d6b52b

SHA256
efd31c9a9127b2d38d11261328859871e1abd75b6089d35e14d90d37de42c428

SHA512
90f7911d75465992f9e83abeba25354a987fcf9eea3f8c60b5cb30c5b567321277bf3a0a94c3a6ca7cc688cad9d52cad8fc8d38e1956138285bccba4568e3e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\assistant\assistant_installer.exe

Filesize
1.7MB

MD5
fa6aa5bba45d83dfdb1f9796449ff366

SHA1
65cadf88b9c5c564a92b6b446e55e24f5f76c54d

SHA256
ac6250102548d31bed614e48c4f50c305916afffda88e1b5e8f440748e33bb49

SHA512
5e5e26618ad88fb99a2ac19f05f271ad007286a0eaf3e9ef4c56c2d101e87090c024f53da0ad88ecef47988869416093a772d691b15bda5e5ded267c140a1e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403052028071\opera_package

Filesize
63.4MB

MD5
a283a633c2d26c9d5c3032adf5bccea5

SHA1
00b258c382434311d03a1a8a5102961ae4f71473

SHA256
56c91c0e438d7b908104244115ca1e4f8a0d1ea3face3270f5653ea32be2b2ce

SHA512
a55a5fb5c284e97bcd4701f45c18700bf1995659c836e5c42baeb9a0ba5384a9163fec1070ced5f8abfa2df95f9caa2f7ea2117a2ab72c3774569c1526d5b88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052028064162032.dll

Filesize
4.9MB

MD5
ae3c89c47602de72f591103e728d2b0e

SHA1
1ea328da0a09db15bf6343b9f99527beaa9bf56d

SHA256
e65e90abb3cec4e01fafddb65385b0378acfcfbf7b058718dc9b8c97375d8d23

SHA512
d53533522ebc38f449d7f986343e77af321360d891a5dab73bbe91de0ee09c708bda391c3126a07e330cbdda3bea0ffd374abe384261937135b4526d2f04ed63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052028066351544.dll

Filesize
4.0MB

MD5
deb5ef824f46c55e5a495a4351e5e8f0

SHA1
2a55173409e345e3cc83507d185976d78ace42b3

SHA256
02105143012d2f93bd7460beca13d6b50a9a95a70a2882c52febe849d159fd8f

SHA512
4ae46e89521f69afaea10486124ca7b464ef6a4a7b57817ab7b4195e1200d14fd0baa6de8a36e253cd2fbfbb52e29888a6f31000ee28bb51d499d13799feb041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052028068221484.dll

Filesize
3.3MB

MD5
b621ced3b459c1077b9cfcfc938cf907

SHA1
e9b15e8d2da3d49cdde06cd00eb5849b0989d5c9

SHA256
fc9bfa2ac58cf9ed1388d0068c240ff324510a42f7876f481c88c9b6e5713de3

SHA512
0a11aff0f3139150477faf1013fe72064f4c98291ddfb79ef32a1effbef48a3aa5ae5fb08c0454f73206aa76a072c3115703c6395ef4181ada823bcbf8a75791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052028068221484.dll

Filesize
3.6MB

MD5
fe4e27a31aacbda85fccf5b82f0795e7

SHA1
2fb0c4d1d3c7c3e8e3742e51c9dd0bacf3e2befb

SHA256
7ece41d488bb765e0a5b31b2a7dc093b1bb308cbc29c9f433c539ff369c2f070

SHA512
fa162046b347db53b1770f51f73ac0b97ee602a1637e2f09e113b26eae6be8c3ee40ece098ad7ff7eaa6746d9d42edbd0d3d851788883c3340476c4ecf9cd28b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
7c9788c11fa84ffcca469ed60ddfbfe5

SHA1
3ed28b7b374cd7fe522fbb2499969939b56861b8

SHA256
d7e9e3d94a1dc3e10b49aa9a199810332b546b6cb8444c4a41ac450041dc45f5

SHA512
3245d8a9039975233b39c55b4baf38feda0546ccbc5cfd718cb436bdce1bb321578475a377c531814dbc63a9f4a27f88bd3b8d3d64e8c8106bf9426ce5b26758

Download Submit
memory/1484-14-0x0000000000F40000-0x0000000001501000-memory.dmp

Filesize
5.8MB

Download
memory/1484-18-0x0000000000F40000-0x0000000001501000-memory.dmp

Filesize
5.8MB

Download
memory/1544-5-0x00000000008E0000-0x0000000000EA1000-memory.dmp

Filesize
5.8MB

Download
memory/1544-37-0x00000000008E0000-0x0000000000EA1000-memory.dmp

Filesize
5.8MB

Download
memory/2032-1-0x00000000008E0000-0x0000000000EA1000-memory.dmp

Filesize
5.8MB

Download
memory/2032-36-0x00000000008E0000-0x0000000000EA1000-memory.dmp

Filesize
5.8MB

Download