1cc417c05d1a0ffc1f480e33158fb8230c093ab22b1bc90371e189ab8aaf96a1

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe
Size

43KB
MD5

d406ce5200488ab3fb725bbd16324864
SHA1

f7f619307ec9b463abfc7ede001274d12cdc447e
SHA256

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974
SHA512

461822da36db093cae46ab3b1a5fa34617f9fb37bec97c38c33efd134c61df75fecc3192442005645c30c411d6e0eedff6d130c053d80ad557064df12c89a883
SSDEEP

768:XIeRwUuo7jHzx2ET1RVfyCSUz2rx2ET1RVfyCSUzcA20I2BDWNAMxkEQp:1RTuCxH1RAO2rxH1RAOcAsCWFx6

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
4536	OperaSetup.exe
640	OperaSetup.exe
2940	OperaSetup.exe
4688	OperaSetup.exe
4972	OperaSetup.exe
4852	Assistant_108.0.5067.20_Setup.exe_sfx.exe
3064	assistant_installer.exe
3056	assistant_installer.exe

Loads dropped DLL 9 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exe

pid	process
4536	OperaSetup.exe
640	OperaSetup.exe
2940	OperaSetup.exe
4688	OperaSetup.exe
4972	OperaSetup.exe
3064	assistant_installer.exe
3064	assistant_installer.exe
3056	assistant_installer.exe
3056	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral2/memory/4536-6-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx
behavioral2/memory/640-15-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx
behavioral2/memory/2940-23-0x00000000005E0000-0x0000000000B14000-memory.dmp	upx
behavioral2/memory/2940-27-0x00000000005E0000-0x0000000000B14000-memory.dmp	upx
behavioral2/memory/4688-34-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx
behavioral2/memory/4972-49-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx
behavioral2/memory/4536-56-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx
behavioral2/memory/640-57-0x00000000001C0000-0x00000000006F4000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

description pid process

Token: SeDebugPrivilege 4988 28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

description	pid	process
Token: SeDebugPrivilege	4988	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exeOperaSetup.exeOperaSetup.exeassistant_installer.exe

description	pid	process	target process
PID 4988 wrote to memory of 4536	4988	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 4988 wrote to memory of 4536	4988	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 4988 wrote to memory of 4536	4988	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 4536 wrote to memory of 640	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 640	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 640	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 2940	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 2940	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 2940	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 4688	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 4688	4536	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 4688	4536	OperaSetup.exe	OperaSetup.exe
PID 4688 wrote to memory of 4972	4688	OperaSetup.exe	OperaSetup.exe
PID 4688 wrote to memory of 4972	4688	OperaSetup.exe	OperaSetup.exe
PID 4688 wrote to memory of 4972	4688	OperaSetup.exe	OperaSetup.exe
PID 4536 wrote to memory of 4852	4536	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4536 wrote to memory of 4852	4536	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4536 wrote to memory of 4852	4536	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4536 wrote to memory of 3064	4536	OperaSetup.exe	assistant_installer.exe
PID 4536 wrote to memory of 3064	4536	OperaSetup.exe	assistant_installer.exe
PID 4536 wrote to memory of 3064	4536	OperaSetup.exe	assistant_installer.exe
PID 3064 wrote to memory of 3056	3064	assistant_installer.exe	assistant_installer.exe
PID 3064 wrote to memory of 3056	3064	assistant_installer.exe	assistant_installer.exe
PID 3064 wrote to memory of 3056	3064	assistant_installer.exe	assistant_installer.exe

C:\Users\Admin\AppData\Local\Temp\28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe
"C:\Users\Admin\AppData\Local\Temp\28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" -silent --allusers=0 --otd="utm.medium:apb,utm.source:RSTP,utm.campaign:op266"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2b4,0x300,0x6ddf1184,0x6ddf1190,0x6ddf119c
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4536 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312040610" --session-guid=df96be7a-9f54-4798-9ba1-c24fba0060a5 --server-tracking-blob="M2Q0NmJiMmI5ZTcwZDQ3ZWYwYmY2NjE3M2VhYTg3YzY5YzVhMjI0NDY4NzgwNzM4ZmU0ZDkxODAxM2FiNWFiYjp7ImNvdW50cnkiOiJSVSIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MDg0MjgxODYuNDMwMiIsInVzZXJhZ2VudCI6IldnZXQvMS4xOS41IChsaW51eC1nbnUpIiwidXRtIjp7ImNhbXBhaWduIjoib3AyNjYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJmYWU5YWRmNi1iNWQ2LTQ1N2EtODlmOS0wZjk0YzgwMDE0Y2QifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8805000000000000
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c781184,0x6c781190,0x6c78119c
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4972

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x11b0040,0x11b004c,0x11b0058
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe
Filesize
846KB

MD5
ef390ce36876f6c0d4c74c2b250ba141

SHA1
1ac930d14999a4a8f3fd8c0a226647e2896ad7cf

SHA256
0217e3d40abf88717177d36c55300ba2ce0dbe30eda2daa9bfee879636dcaf68

SHA512
d976d275440c745c61117149cbcaff1c86ee0b1eb9d600880d29fcfceb610c22667a6fca18d09f90eeb702ce277492a90732199a3bdbddce27c1032cc25a201f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
b3f05009b53af6435e86cfd939717e82

SHA1
770877e7c5f03e8d684984fe430bdfcc2cf41b26

SHA256
3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

SHA512
d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\dbgcore.DLL
Filesize
166KB

MD5
8b6f64e5d3a608b434079e50a1277913

SHA1
03f431fabf1c99a48b449099455c1575893d9f32

SHA256
926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

SHA512
c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\dbghelp.dll
Filesize
960KB

MD5
66938aa09fb8a0ade5628d98197f5ed0

SHA1
0105f1388a8f69df5e5014851134f76ec889f1ec

SHA256
b22c1cbef51701362cb36e54c61b605526caf3fae88dc77492562dddf26efb26

SHA512
9cdc6920e7c60133775477bd2b71c7e24b7efb70c4871d4b70a73e30225bae690c25040d32bb5f8dd46470e5a92d5ce3404618dbcafbff9bc9f92fa6f030f2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\dbghelp.dll
Filesize
768KB

MD5
a2e2c6d725dea1c49eb40b0e7b134e1b

SHA1
c425999011065bc87c40806e4adf39c006350fe1

SHA256
b345407859596eec3f014f1f3e47aaba9bd63fe20be26e3125e2762bb207778d

SHA512
10ce4fcde83f478579e99156842d46109a96e5d1c93ec9cb066df5606545f8b5c1b5013cec472691daba97a97842c05fb25f1582df8fbb03317c4f4079580042

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\assistant\dbghelp.dll
Filesize
1.7MB

MD5
925ea07f594d3fce3f73ede370d92ef7

SHA1
f67ea921368c288a9d3728158c3f80213d89d7c2

SHA256
6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

SHA512
a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120406101\opera_package
Filesize
12.2MB

MD5
c7fa40445a02c718e1d8ee436c396b4c

SHA1
8089fe6437761e65f6d7f5e2202fe865adabcc78

SHA256
a23611162ebd4ac6a3e57a4a0a82e0c337a4be263a41cac67f9882090f369fb0

SHA512
64b576be74065ae2c2d3599a11e6311f2fe994cfd27d04adcb0c525c68489cb584bf2d04aabaa5dc0f035175727f7a461b05ff938fd43cf6ad216e5427675efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
2.8MB

MD5
7b40e391f1ccfd9c7b7bb1e052e42d4e

SHA1
a87a6c8e2f2600ed6424c0de74fceeb31271913b

SHA256
2d324903b695572256bdc3cb4e569ef0585749ef784f6cd70d0438a8ce14baff

SHA512
4bf664d74569fa4f25e8f4965d1fd195c379caaad0cfb22843898426dde6a7cc9dd3ec6e1b879fee115aecea79d3e6536e8faa2a4f1d6da28ffa438f36367bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120406066124536.dll
Filesize
4.6MB

MD5
e0c1954fefffbaba33bf88088a5cb4fc

SHA1
c271a74a2c828b829de71482537b9723c9c9de40

SHA256
77c3f13ea98f68c966cc6c4f5a40f14c8a877d421219b8f77e08f6e88c79dcd1

SHA512
8e4c1f84f2247548012a78a2df84b947b589c4b60f6729e4bbebd4f6cf14dd31dbf19d4ff623f3a80f8d5d88f34bc99165d649e8fabadf3a14808a93f55c5f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120406084092940.dll
Filesize
3.3MB

MD5
13856319ed813c43b1caa599c29a4008

SHA1
3d3e77f6979b49db41ac8777bf9de0d80796fec3

SHA256
3f87755db07d95972ee52f40bce5ef64b255ad19292ea13bfb5b900a99645273

SHA512
2a03d214a92625857e0aeb1064cb0efc0bf23c06644b914076aab634ee95daabb3b2ce7c8c517bf7b988f0f77d7d0400d971d22280cf51945397d13044c228e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120406108784688.dll
Filesize
3.6MB

MD5
661a50b1a89a5b398a122793bcc6483a

SHA1
53853076afc6469b753de473fc3e24df9550c982

SHA256
709dc14041227ba1856eec43cfebef2c3bf3dd513146db44023e27a4b8420285

SHA512
fec94356a6281020c9b88dede8ecfec000324f621ac242d29e74b629163afe59a9a1d6f163ad1ac4df0148ffba15fd428935320979492e5f0c4eb0a33b07c211

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
cd069a4b79e891c0517a1f746c7c8ae8

SHA1
625a4b1eaa1ffcbd5bf53330291eb363d3f8f616

SHA256
54123ecb84d002ff028b0f64acf7b682599c5f4cc3d2d9988773ed5bb77e70d4

SHA512
109f235e7aeb8fba2132d6eff24e9f834762c5548bf683b2520565845387f48131f936117404811d44e1bafdfe6806ed699e7b9f6f98552265bb8c67d1b07f63

Download Submit
memory/640-15-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/640-57-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/2940-27-0x00000000005E0000-0x0000000000B14000-memory.dmp

Filesize
5.2MB

Download
memory/2940-23-0x00000000005E0000-0x0000000000B14000-memory.dmp

Filesize
5.2MB

Download
memory/4536-56-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/4536-6-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/4688-34-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/4972-49-0x00000000001C0000-0x00000000006F4000-memory.dmp

Filesize
5.2MB

Download
memory/4988-36-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4988-31-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4988-0-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4988-2-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4988-1-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download