ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750

Resubmissions

05/03/2024, 20:45

240305-zjqfasgh5w 8

05/03/2024, 20:41

05/03/2024, 20:40

05/03/2024, 20:37

05/03/2024, 20:34

05/03/2024, 20:31

05/03/2024, 20:27

Analysis

max time kernel
20s
max time network
24s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
05/03/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.4MB
MD5

b16754e31096ff084460514287187a29
SHA1

149d9d7bc7bfa0ee218e55eb3778ea3cf6184dc7
SHA256

ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750
SHA512

86fad8a6ee5660aac5a0fa172d6094585793cc6b86996941211292a9e91fc2571c8fa807a3021561909c841491400991f152f18c8e1d247c663ff600643224f7
SSDEEP

98304:TWo5jp/vdcY8uC+gOhUL+byztZXlAuoVGmKeLEcjXXV9bA:TP59/VcYZCOW+bO+5Eo9c

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3836	OperaGXSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
3940	OperaGXSetup.exe
4712	OperaGXSetup.exe
3836	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3940-3-0x0000000000D40000-0x0000000001301000-memory.dmp	upx
behavioral1/memory/4712-7-0x0000000000D40000-0x0000000001301000-memory.dmp	upx
behavioral1/files/0x000600000001ac06-12.dat	upx
behavioral1/memory/3836-16-0x0000000000020000-0x00000000005E1000-memory.dmp	upx
behavioral1/memory/3836-17-0x0000000000020000-0x00000000005E1000-memory.dmp	upx
behavioral1/memory/3940-104-0x0000000000D40000-0x0000000001301000-memory.dmp	upx
behavioral1/memory/4712-114-0x0000000000D40000-0x0000000001301000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	firefox.exe
Token: SeDebugPrivilege	1884	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1884	firefox.exe
1884	firefox.exe
1884	firefox.exe
1884	firefox.exe
1884	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1884	firefox.exe
1884	firefox.exe
1884	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3940	OperaGXSetup.exe
1884	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4712	3940	OperaGXSetup.exe	73
PID 3940 wrote to memory of 4712	3940	OperaGXSetup.exe	73
PID 3940 wrote to memory of 4712	3940	OperaGXSetup.exe	73
PID 3940 wrote to memory of 3836	3940	OperaGXSetup.exe	74
PID 3940 wrote to memory of 3836	3940	OperaGXSetup.exe	74
PID 3940 wrote to memory of 3836	3940	OperaGXSetup.exe	74
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 2596 wrote to memory of 1884	2596	firefox.exe	77
PID 1884 wrote to memory of 3068	1884	firefox.exe	78
PID 1884 wrote to memory of 3068	1884	firefox.exe	78
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79
PID 1884 wrote to memory of 3808	1884	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.37 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x73d461e4,0x73d461f0,0x73d461fc
  2⤵
  - Loads dropped DLL
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.0.1917996845\462893500" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca44147-42d6-42ed-9c2e-701a2eb32ff3} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 1740 24caead5158 gpu
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.1.1263586582\1145446332" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d239aae2-a313-4aef-a458-27fa51914262} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2120 24cae430e58 socket
    3⤵
    PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.2.213061576\739452780" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2888 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a67a150-a7a4-4f40-8de0-f4e3d4e6ab41} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2996 24cb2b99e58 tab
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.3.7661310\1324725165" -childID 2 -isForBrowser -prefsHandle 1200 -prefMapHandle 2292 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4669c73e-d65a-40fa-b28c-dd86e310f8ac} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3240 24cb130ee58 tab
    3⤵
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.4.906483714\1751100932" -childID 3 -isForBrowser -prefsHandle 4364 -prefMapHandle 4360 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da46c9c9-c645-436b-b380-03ef91e526c8} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4376 24cb49d0158 tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.5.205899487\1276893942" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4044 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3a9312c-0ff4-44cd-9824-43045e5c19ba} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4772 24cb4bcb458 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.6.1308871161\133649236" -childID 5 -isForBrowser -prefsHandle 4908 -prefMapHandle 4912 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1612b5d9-4227-4560-9023-831d6bc84d87} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4900 24cb4bcd558 tab
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.7.57260200\1009591479" -childID 6 -isForBrowser -prefsHandle 4900 -prefMapHandle 4992 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7842ea-2490-43ea-bbb4-b638acbac97f} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5108 24cb50ece58 tab
    3⤵
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
1.2MB

MD5
c8e4c72005f0f24c8449d32052581210

SHA1
42be5bcd91664d443195e4d6ad4a0b3c134ad56f

SHA256
ab8b20d76c4946ccd494fe6d141c2f2485529ed92cbb1d91b81bef658ae4dc96

SHA512
dfac2dd48f3285c4618623daabf82d27f37d00d54d28774cb31b6bce00000bf3bd589ff72248ca29d1c7c0d0c71b9485b11772900bd1fe1ae2105697cd470c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052041089923836.dll

Filesize
3.7MB

MD5
523d3878c2e91f906a3e512317e49b7b

SHA1
bf8a73e37c8543eb2c4746f84619e2f0f36210d4

SHA256
b3071d56ef9e93f40520b950421d95ff5ba2880099b59bddad7af6444cb50c26

SHA512
a43908ee08726118af84b085328525bd91007de03387f5d89b81de96992f2822ea05dcfc83e503a857232fb2be6595ba7444ea42c29a934c2bae6ad285d46179

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c1730407585ede59d4751f5d365adbcd

SHA1
c5ad6ecd5c63748ffbf5dcaef0250095d2141cef

SHA256
b7a9e47de0ffa9951750fbff881d8dd42f2b3b9ae21405c23f62bea7a0072564

SHA512
26055cfa81f42c30847630ea016437665c00fcc788a110655f7a2039126885f4ca0ddef6f349cb11bad903652586544af199e24db522d8bcc9a9198032e5b614

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\b88eb0f1-453f-4669-978f-968fe38c8106

Filesize
12KB

MD5
2be58c57b14c3285228d2293bac1db33

SHA1
704b1247336b5245470126cca137e3dd0d4313db

SHA256
f96f9a3560ebc6418235b6a5a39fcd3cb5f831c9e61afb8be75a22242fc7f0c5

SHA512
9bcce69e27895973b32130668e00064359094774a8dcf9866b9886a3e5ec3ba8e5dee98b10a399a40a257f2660e3afcddc3204b33db378927ea4cea2711e92d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\c7fb180b-2971-4211-9532-07f7a7246879

Filesize
746B

MD5
2a9e6276b42f8866ceadcc6d3c31dd2d

SHA1
ce83d1131651e1d645b65e6a188f84274d688324

SHA256
0210f596b63d4bc594c77f59f15ac7300624e18200b7d0e96687b5c30d68e845

SHA512
9e303f12ad7f319255011daa89bb6d53f03b75de19ed51dc161e60ddd0088386cd53686dc90b84897cb8be9034d217f6e0893b4af714e7fba90c32ba96b719ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a7e58dd581c9f7cc5c4388686a087d3d

SHA1
fd8e6afa8bf59073139dc345ff6899181509009e

SHA256
3fc8840982da83e6ec892c5e0b81f5e1807770fa277ebe23ea0369d121e61c4d

SHA512
d4e65c48f1e49b3011d4e62255362f0a52541f7c4abb6f54326b5a0ee9c39d2f6747aeabf98904c3ab7a366ae9d29e84693def8a9ef108f6dd74edd6dc185ba2

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403052041082033940.dll

Filesize
5.2MB

MD5
2e9e548040cbc282125031030041b2a9

SHA1
a84b26339be4cdd889ac806227c3260d57296605

SHA256
b44501388ac04d3db78e167cc1dc4daea68aa5c7140a2976b5a8e04f6d2438eb

SHA512
8be8af00aabe5e5ccac38faaf9ed499ea9c84d6a180a3cbce81297b58e1b4cfff5597638587c8f81058f59e19f87ac4bcdacfb34e1fce7ac61128837e39d3e7b

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403052041089923836.dll

Filesize
2.5MB

MD5
5165fdf2c775530e9ed6b9e2c368cba1

SHA1
f7039c286e71a1ec2c9ed7e56565d7d88a8ee58d

SHA256
58282f5886f250087fa3c62edccb6b478011561a27c5da60cda9b63f5a0fa9bb

SHA512
5f7b1f261e91d10aa6472ff433f5027a220cecae3dc03a070faeb2f13a322ee71d40e6f4535744a5e49d4020b5d467a0045f0e6f56912a7b8851627483b2f6ed

Download Submit
memory/3836-16-0x0000000000020000-0x00000000005E1000-memory.dmp

Filesize
5.8MB

Download
memory/3836-17-0x0000000000020000-0x00000000005E1000-memory.dmp

Filesize
5.8MB

Download
memory/3940-3-0x0000000000D40000-0x0000000001301000-memory.dmp

Filesize
5.8MB

Download
memory/3940-104-0x0000000000D40000-0x0000000001301000-memory.dmp

Filesize
5.8MB

Download
memory/4712-7-0x0000000000D40000-0x0000000001301000-memory.dmp

Filesize
5.8MB

Download
memory/4712-114-0x0000000000D40000-0x0000000001301000-memory.dmp

Filesize
5.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads