28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974

Resubmissions

12-03-2024 19:05

240312-xrt3caba48 8

12-03-2024 18:50

240312-xgzvvaae89 8

Analysis

max time kernel
146s
max time network
143s
platform
windows10-1703_x64
resource
win10-20240221-es
resource tags

arch:x64arch:x86image:win10-20240221-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
12-03-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

43KB
MD5

d406ce5200488ab3fb725bbd16324864
SHA1

f7f619307ec9b463abfc7ede001274d12cdc447e
SHA256

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974
SHA512

461822da36db093cae46ab3b1a5fa34617f9fb37bec97c38c33efd134c61df75fecc3192442005645c30c411d6e0eedff6d130c053d80ad557064df12c89a883
SSDEEP

768:XIeRwUuo7jHzx2ET1RVfyCSUz2rx2ET1RVfyCSUzcA20I2BDWNAMxkEQp:1RTuCxH1RAO2rxH1RAOcAsCWFx6

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
2452	OperaSetup.exe
2476	OperaSetup.exe
1004	OperaSetup.exe
4288	OperaSetup.exe
3960	OperaSetup.exe
4888	Assistant_108.0.5067.20_Setup.exe_sfx.exe
1872	assistant_installer.exe
368	assistant_installer.exe

Loads dropped DLL 9 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exe

pid	process
2452	OperaSetup.exe
2476	OperaSetup.exe
1004	OperaSetup.exe
4288	OperaSetup.exe
3960	OperaSetup.exe
1872	assistant_installer.exe
1872	assistant_installer.exe
368	assistant_installer.exe
368	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/2452-7-0x0000000000360000-0x0000000000894000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/2476-13-0x0000000000360000-0x0000000000894000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe	upx
behavioral1/memory/1004-25-0x0000000001300000-0x0000000001834000-memory.dmp	upx
behavioral1/memory/1004-26-0x0000000001300000-0x0000000001834000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/4288-33-0x0000000000360000-0x0000000000894000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/3960-39-0x0000000000360000-0x0000000000894000-memory.dmp	upx
behavioral1/memory/2452-60-0x0000000000360000-0x0000000000894000-memory.dmp	upx
behavioral1/memory/2476-61-0x0000000000360000-0x0000000000894000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installer.exe

description pid process

Token: SeDebugPrivilege 4588 installer.exe

description	pid	process
Token: SeDebugPrivilege	4588	installer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

installer.exeOperaSetup.exeOperaSetup.exeassistant_installer.exe

description	pid	process	target process
PID 4588 wrote to memory of 2452	4588	installer.exe	OperaSetup.exe
PID 4588 wrote to memory of 2452	4588	installer.exe	OperaSetup.exe
PID 4588 wrote to memory of 2452	4588	installer.exe	OperaSetup.exe
PID 2452 wrote to memory of 2476	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 2476	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 2476	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 1004	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 1004	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 1004	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 4288	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 4288	2452	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 4288	2452	OperaSetup.exe	OperaSetup.exe
PID 4288 wrote to memory of 3960	4288	OperaSetup.exe	OperaSetup.exe
PID 4288 wrote to memory of 3960	4288	OperaSetup.exe	OperaSetup.exe
PID 4288 wrote to memory of 3960	4288	OperaSetup.exe	OperaSetup.exe
PID 2452 wrote to memory of 4888	2452	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 2452 wrote to memory of 4888	2452	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 2452 wrote to memory of 4888	2452	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 2452 wrote to memory of 1872	2452	OperaSetup.exe	assistant_installer.exe
PID 2452 wrote to memory of 1872	2452	OperaSetup.exe	assistant_installer.exe
PID 2452 wrote to memory of 1872	2452	OperaSetup.exe	assistant_installer.exe
PID 1872 wrote to memory of 368	1872	assistant_installer.exe	assistant_installer.exe
PID 1872 wrote to memory of 368	1872	assistant_installer.exe	assistant_installer.exe
PID 1872 wrote to memory of 368	1872	assistant_installer.exe	assistant_installer.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" -silent --allusers=0 --otd="utm.medium:apb,utm.source:RSTP,utm.campaign:op266"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2c4,0x2c8,0x2cc,0x274,0x2d0,0x6d6f1184,0x6d6f1190,0x6d6f119c
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2452 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312185034" --session-guid=19b5a106-c2ed-477e-967c-5d6c1b4d0b41 --server-tracking-blob="M2Q0NmJiMmI5ZTcwZDQ3ZWYwYmY2NjE3M2VhYTg3YzY5YzVhMjI0NDY4NzgwNzM4ZmU0ZDkxODAxM2FiNWFiYjp7ImNvdW50cnkiOiJSVSIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MDg0MjgxODYuNDMwMiIsInVzZXJhZ2VudCI6IldnZXQvMS4xOS41IChsaW51eC1nbnUpIiwidXRtIjp7ImNhbXBhaWduIjoib3AyNjYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJmYWU5YWRmNi1iNWQ2LTQ1N2EtODlmOS0wZjk0YzgwMDE0Y2QifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C404000000000000
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2d0,0x6c321184,0x6c321190,0x6c32119c
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3960

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x390040,0x39004c,0x390058
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
Filesize
791KB

MD5
552d2da40d4592c0ba0fd1b4ad520777

SHA1
ac88f61bf87ec5ccbbd8f17904675d30ebd034ce

SHA256
a185209de5d13be21a25b0d5a962d050b990f71a32157d3a2f3b6e65a153aaea

SHA512
ec39af1913335fa28d9e9518dfc035c89b68ec19950977e6dc3e9960586795ed55ac56ed8302998998e1849dc9e1672a58774d89566654feeac701dad7159e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
Filesize
669KB

MD5
d4c0aa2952e1d4091614297fde27b023

SHA1
5b941361d2b62acdab8e6743cb3d86845d7de92a

SHA256
3a55ee82e49843d8ab09bdcc43f2ff9cee710f3ffc9e6ef733ff5c7a46a64f0c

SHA512
1fc08c16866673d1a796d686341ed9a76aab68f39452f8fac8a10ea6033095fcebfeec2f7b819e6e1dc1e415f6bdb660a84cf696ddca14c7e39ec50780d95fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\additional_file0.tmp
Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
b3f05009b53af6435e86cfd939717e82

SHA1
770877e7c5f03e8d684984fe430bdfcc2cf41b26

SHA256
3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

SHA512
d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\dbgcore.DLL
Filesize
166KB

MD5
8b6f64e5d3a608b434079e50a1277913

SHA1
03f431fabf1c99a48b449099455c1575893d9f32

SHA256
926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

SHA512
c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\assistant\dbghelp.dll
Filesize
1.7MB

MD5
925ea07f594d3fce3f73ede370d92ef7

SHA1
f67ea921368c288a9d3728158c3f80213d89d7c2

SHA256
6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

SHA512
a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121850341\opera_package
Filesize
37.5MB

MD5
2f3f2294c51899744a9c10d90bf7433b

SHA1
2105e860bba92d3062803848492aa2ec92c0fe18

SHA256
5444dacf48d9f7bf28762bba338943cc27eb45681fb984bf606561ba1b6885e2

SHA512
9ce9a1c2bef16e7ffb3a03c9760449790d1ffbdcd7efc1fdfd6094dd90ce2680fe1e3ae4622ee792effa220aead2b7564140b3423459e7a8cfc5ec4a98c5de37

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
1.4MB

MD5
c2bc3e45111315d726b261c96f1c0929

SHA1
3e8d73fd84445c09828d44de6a2d5f256f499c78

SHA256
833de04587e0cabcb0242c05b9cb90530b383b5818a5c596efc5951af7167b81

SHA512
03f8804649f50bbb602082cb7f6f773ecb8c9812114310718a7e0e0e56a3c19abddbf901958a43528354e0ef782e0414731d221805e0b3d994bc9211d580de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
820KB

MD5
3ac94b5fb194ba8a21660c68e7e937ca

SHA1
f0e5181ffea1e6560fcdbf8a92f0c26af5085853

SHA256
91eb830c36055a25099a7dac6db5e3b29e648e1333e8b59965eda3bf1a91478e

SHA512
3820a2caa4ddd3ec28fd2e941567c757c11de6841b9504b97e8e4dfce8f90bfe52d3391b736a7f545fc00496e91f22010f786378d6fc1c4aec4628dfce6b8092

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
928KB

MD5
21b1c7fc58f8157b1ef57200eb173419

SHA1
dcc4c3526a11fdc50b3cd186eea16e4bb516718c

SHA256
cf049c2a1442b84f51ed2cf0245b2b101fb8e90b4d40ad93a0b211375bebe53d

SHA512
c0d65444505c8166aeec36e41e1d7ee21b8f92bdf3aea8e5e8a5a95d0a59dd5f49b5ad946da66d3af8b5e5bb22bf1afd92077252fd562187abeb40932d8a98c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
448KB

MD5
83acea9e5e8881c5513799b7f1c905a5

SHA1
902e7d2010ad9926e7a3b69cf35f35e407e3ddca

SHA256
54468778be8f29101c50d3630d5d631b971f426e954d7f8689487b069d128c2f

SHA512
5682ef2b4e2c119bb9d41037fc2f952674893fec00c7fd21c940de815687b6a38a25b63c0bb6949ef37b70bdbae9a66742318e9d24dc912c52b17a76b04e7871

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
2.5MB

MD5
a79fcbb481677b4f73e500e19bf59ee1

SHA1
bb405888bb7bd143afd3de070c39442bd9524932

SHA256
e2fd0311339641518e7414eec5419e14231cfb998566c95969fbc229d2d70a6f

SHA512
6fd8de9744c8daf9520fa94760a8a0ff9759423c62d0d2fbc9ec6b8de8c12a397f572e490ca014f4ea6cff482c3e362f2be050f71bc18c32da503a8e6a88d211

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850344011004.dll
Filesize
788KB

MD5
41e6fc2bb958f32fd1f07868b15fc34e

SHA1
3705af95defa922810a7aa6a3be1e91cbc4e1829

SHA256
3f797474ae2a6be5ebc515c18cd6f59e385b49e2bdac74bf61381230cb7d5dfe

SHA512
73bcf8c5d6736ab5d969248ea55728f1d84d71d084dda2206247573f96637a8bb9bdab6ae9b5d4db15bdd468b15137b183f5bab150e5ef0cb02abc7136cb5a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
5f61120d2f1761686b8bbf077e348b0d

SHA1
8292726e10fca47aa7d75149469d836e72ad8830

SHA256
a634fe087eefeb164cca251b0d46e5a8b0e095ef8440cd9e2a6e523aeb5cb2f7

SHA512
29cedcc9e56d991e0e6044db2fb49b3e65c40864cae7a59b9e43a99b5b2e2d5f98c9f5a1654aa5be98fac251dbd8f46b05cb9c77d2c331339e9c95947b56877f

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850340732452.dll
Filesize
1.3MB

MD5
ddc04032986ec063e7bc5b32cc0c9616

SHA1
ecc3fe516f2d982c585f0c3b16c5ac6e32683d93

SHA256
2f901edee1d36fb0398ee6d767ad2c30a77c3c66e15a38406b5e58735493ad5d

SHA512
87c02bf3494ad369954cd766d3ac12bcc5a970fbee939a2aa215670c9c46cab27361059547df862c956cf8dcfcf1aff4edaf4ca07c6ef27910b7d394a6e3123a

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850341512476.dll
Filesize
1.1MB

MD5
207d3740eaad820d619b1d6894c7bdd6

SHA1
e6e7d4438a14e6ec6e0b8ad13aea5ab2d8d0c4c0

SHA256
dc897972b6f8ddcfe042525c36130b8990905cddd4f204cdeaa9202279d249ff

SHA512
8b0160328aca166e1633ae748f6900612a191214251410d2fb899ec17c83a5dd3423237bd3cd87c25a94afe5041465a913597ad066eb18953517ee125c120b9f

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850344011004.dll
Filesize
736KB

MD5
463d7492369f5c426590d4c9dff3db58

SHA1
ab07f95022c8538a91ce2968879bacac24f7b9a3

SHA256
67774bedfb9f6b9d23215bed1977b4e8f0cacc3f104d9406c28ea2ef9905f0db

SHA512
422f99a988f8d153b373dafc23edbca85651cfc4c1c4bf33f6409e80d70dccbc73f21076a1a266aea6ca272bff530d5845ef14bd22238230315e6d9c313e171c

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850345424288.dll
Filesize
710KB

MD5
c8db0b32a9c5d4865a1780b4b8b4e6ad

SHA1
c81d51602cd37a707f2a1fbdc74d652a5d5c9e21

SHA256
16d9bcaa7b90eb71cf4b73d6e3e84a106af76b2ae3f6a5b0f2a6128aa7e93e48

SHA512
a383586e298ddbea49fe8f6d1e9ffbcfbcc7426cba11cd7bcad3a4eac75f06ff7c2aebaeecf96733de1110e0ce079bd76bd79ba1ed09be2dd0a472f94d5453b9

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403121850346203960.dll
Filesize
706KB

MD5
0df7b13e8de0727c1457570e397627a7

SHA1
dfca2d1dbe07812b5f029d44aba4e044a5f429dd

SHA256
670a115eb1d8e1ad238fdb7b42a006ab7ee47b61f9e971243d23c301b1567ad1

SHA512
1a5edeed8df5072f22d99768208539d5b7de02b989006d02b8882fb6c12a6e80b5e3fe0b06db8ba63a26589d71792b3b5cd50346de16d2ab00644c63e0041a44

Download Submit
memory/1004-26-0x0000000001300000-0x0000000001834000-memory.dmp

Filesize
5.2MB

Download
memory/1004-25-0x0000000001300000-0x0000000001834000-memory.dmp

Filesize
5.2MB

Download
memory/2452-60-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/2452-7-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/2476-61-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/2476-13-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/3960-39-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/4288-33-0x0000000000360000-0x0000000000894000-memory.dmp

Filesize
5.2MB

Download
memory/4588-59-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4588-64-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4588-0-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/4588-2-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4588-1-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4588-165-0x0000000005CD0000-0x0000000005DD2000-memory.dmp

Filesize
1.0MB

Download