28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974

Resubmissions

12-03-2024 19:05

240312-xrt3caba48 8

12-03-2024 18:50

240312-xgzvvaae89 8

Analysis

max time kernel
123s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12-03-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

43KB
MD5

d406ce5200488ab3fb725bbd16324864
SHA1

f7f619307ec9b463abfc7ede001274d12cdc447e
SHA256

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974
SHA512

461822da36db093cae46ab3b1a5fa34617f9fb37bec97c38c33efd134c61df75fecc3192442005645c30c411d6e0eedff6d130c053d80ad557064df12c89a883
SSDEEP

768:XIeRwUuo7jHzx2ET1RVfyCSUz2rx2ET1RVfyCSUzcA20I2BDWNAMxkEQp:1RTuCxH1RAO2rxH1RAOcAsCWFx6

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
1944	OperaSetup.exe
3280	OperaSetup.exe
4452	OperaSetup.exe
4172	OperaSetup.exe
4952	OperaSetup.exe
2920	Assistant_108.0.5067.20_Setup.exe_sfx.exe
4784	assistant_installer.exe
3508	assistant_installer.exe

Loads dropped DLL 9 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exe

pid	process
1944	OperaSetup.exe
3280	OperaSetup.exe
4452	OperaSetup.exe
4172	OperaSetup.exe
4952	OperaSetup.exe
4784	assistant_installer.exe
4784	assistant_installer.exe
3508	assistant_installer.exe
3508	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/1944-6-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/3280-12-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe	upx
behavioral1/memory/4452-27-0x0000000000AA0000-0x0000000000FD4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/4452-26-0x0000000000AA0000-0x0000000000FD4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral1/memory/4172-31-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
behavioral1/memory/4952-35-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
behavioral1/memory/1944-54-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
behavioral1/memory/3280-56-0x0000000000700000-0x0000000000C34000-memory.dmp	upx
behavioral1/memory/4952-58-0x0000000000700000-0x0000000000C34000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installer.exe

description pid process

Token: SeDebugPrivilege 4848 installer.exe

description	pid	process
Token: SeDebugPrivilege	4848	installer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

installer.exeOperaSetup.exeOperaSetup.exeassistant_installer.exe

description	pid	process	target process
PID 4848 wrote to memory of 1944	4848	installer.exe	OperaSetup.exe
PID 4848 wrote to memory of 1944	4848	installer.exe	OperaSetup.exe
PID 4848 wrote to memory of 1944	4848	installer.exe	OperaSetup.exe
PID 1944 wrote to memory of 3280	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 3280	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 3280	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4452	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4452	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4452	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4172	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4172	1944	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 4172	1944	OperaSetup.exe	OperaSetup.exe
PID 4172 wrote to memory of 4952	4172	OperaSetup.exe	OperaSetup.exe
PID 4172 wrote to memory of 4952	4172	OperaSetup.exe	OperaSetup.exe
PID 4172 wrote to memory of 4952	4172	OperaSetup.exe	OperaSetup.exe
PID 1944 wrote to memory of 2920	1944	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 1944 wrote to memory of 2920	1944	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 1944 wrote to memory of 2920	1944	OperaSetup.exe	Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 1944 wrote to memory of 4784	1944	OperaSetup.exe	assistant_installer.exe
PID 1944 wrote to memory of 4784	1944	OperaSetup.exe	assistant_installer.exe
PID 1944 wrote to memory of 4784	1944	OperaSetup.exe	assistant_installer.exe
PID 4784 wrote to memory of 3508	4784	assistant_installer.exe	assistant_installer.exe
PID 4784 wrote to memory of 3508	4784	assistant_installer.exe	assistant_installer.exe
PID 4784 wrote to memory of 3508	4784	assistant_installer.exe	assistant_installer.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" -silent --allusers=0 --otd="utm.medium:apb,utm.source:RSTP,utm.campaign:op266"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2b0,0x300,0x6dd21184,0x6dd21190,0x6dd2119c
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4452

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1944 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312190615" --session-guid=f088f8b3-1d11-461b-8500-d68fed18e2c8 --server-tracking-blob="M2Q0NmJiMmI5ZTcwZDQ3ZWYwYmY2NjE3M2VhYTg3YzY5YzVhMjI0NDY4NzgwNzM4ZmU0ZDkxODAxM2FiNWFiYjp7ImNvdW50cnkiOiJSVSIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MDg0MjgxODYuNDMwMiIsInVzZXJhZ2VudCI6IldnZXQvMS4xOS41IChsaW51eC1nbnUpIiwidXRtIjp7ImNhbXBhaWduIjoib3AyNjYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJmYWU5YWRmNi1iNWQ2LTQ1N2EtODlmOS0wZjk0YzgwMDE0Y2QifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A405000000000000
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c6b1184,0x6c6b1190,0x6c6b119c
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4952

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x2b0040,0x2b004c,0x2b0058
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
Filesize
1.8MB

MD5
bbb5e0c863a64199f6fee9499ff09742

SHA1
f28ad9d4522de523ba4ed8e69e6f288aeaec9fdc

SHA256
2b3244b23f78973024bc2b9668d66f74199a25907838b967501b10f7518f9193

SHA512
44009ccd864eb68426564c6512ff98c4a9b94089051022b686723e90b630434b2843a7892b0ba3c2f4d9f7c08019d8e263695f492e6214cb4e6e758471e9c88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
Filesize
1.7MB

MD5
8553ad9a09328a2ba69c53b3413d4f87

SHA1
f9c35dee52753f9c3bbc4b2e69069c1ec1704019

SHA256
dc3fc642bce418b0c8aa5c200d934282174e5e701bb92974edc2b36a309dfcc2

SHA512
2eae2cc1e94910f0db75a6311b2671c55514fbea8fbf41ff2d540bbce570e993e54e5dc60c568ee58884b6d71c007b6581e867bffa2e63c1e9732d95257bcda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\additional_file0.tmp
Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize
2.2MB

MD5
7ac15e313644930acf2180fde74011f4

SHA1
364f57050e4ab6edbfaea9d78399be786d8fb2b3

SHA256
62d500a8fb8ba60caa0e3f3f19a29f79a9612885e047848423646e9b8eeb1fe8

SHA512
dd54fc0865b56f184b529f44bc146af49f579c08acd396cc7355fb99845c25d1fc6a51f290c0a13c59a141500781979928610cab06c5c43cbd20e2f62ff50737

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe
Filesize
1.8MB

MD5
95146fe518b8f94292ad07266e6c931e

SHA1
81a13c8c7c1baf0cc58be4ce5de4ec75caf22db0

SHA256
5451ad2f9746e2e94a2f5d73e98ef1318ade32d839fdd9264e5f081acb11312d

SHA512
044da5c5b128327850c749207352aa8c767c5dbef319da2753b612729b8bcd5b9f82114c5d131e5dcbfd47b1916f2ca3033e47c850138b2c6f2e230c92782ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\assistant_installer.exe
Filesize
704KB

MD5
724e73b906cf94b24769b419cb344a9a

SHA1
9966710e8499420be0fa986ac1780a809ec93414

SHA256
1aeb13c1a2612a072261c92355cbbe09c2121129c9610ba9a6772be7f366a638

SHA512
c86914c78fb7f8e49f74ee63f6bb13e5a2a84210012c05bd849b1399c82fbb840fe8917b172e45ffd34c34d8cec503da0c57949188e3ccb51c4d7e3bb2d6eae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\dbgcore.dll
Filesize
166KB

MD5
8b6f64e5d3a608b434079e50a1277913

SHA1
03f431fabf1c99a48b449099455c1575893d9f32

SHA256
926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

SHA512
c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\dbghelp.dll
Filesize
1.5MB

MD5
458b782070ebc9cc7559d45bb323a890

SHA1
39e2a667397f38e92d3596f9b62e4ee61a6ac854

SHA256
257aecf3b4105f5519ac9b3eb87c9c15519b79d9266edb07f5bc732529943812

SHA512
ece9ab1afa05ab622320ffd601ee0dd3fba4e40221f98da2971bf73f4fbb9cf76dc5c3c446e22ef52d42d6eb62ee2b34ffea02b4cfdc9b16bae148f2af331782

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\dbghelp.dll
Filesize
960KB

MD5
66938aa09fb8a0ade5628d98197f5ed0

SHA1
0105f1388a8f69df5e5014851134f76ec889f1ec

SHA256
b22c1cbef51701362cb36e54c61b605526caf3fae88dc77492562dddf26efb26

SHA512
9cdc6920e7c60133775477bd2b71c7e24b7efb70c4871d4b70a73e30225bae690c25040d32bb5f8dd46470e5a92d5ce3404618dbcafbff9bc9f92fa6f030f2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\assistant\dbghelp.dll
Filesize
260KB

MD5
ee4ec8f993168c14053acd0588d28b99

SHA1
303f2f7edcb6f9d2a5f4226d4ab742e001fe8b07

SHA256
9bfbd10756455dc650c79d896ffd28e25c6f46c588666b408ae90473953abb33

SHA512
d669d9ddb7482a2572a6c5716a2b5904f1ba30970676e01c746f7e2a7c6f9fe12b6fcafed756bedc42fff755538b89c48979fa1eaca8c6046f914da7340e190b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121906151\opera_package
Filesize
6.1MB

MD5
5c3e91d43914e73a60a2717166061756

SHA1
716e8a6161028a4c6818caf4d821f31dedf372b3

SHA256
b5f5530170891668ccb9771b1643cdf6f22d698113e729d2f091952400cda695

SHA512
b89ce077d061421eba84c4065edb8056f4d475aa6ecd3b1a1857cb6c86c67265d2aef1e26fbb64738512721f4f7c5406d99a281d52b024ce80a4b8bc62b0f330

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
1.2MB

MD5
cb8a68e5d6779fd1d4c703fb89804d08

SHA1
8456f751a000fbcb39b66e9194da188d21071fa5

SHA256
68556a214b7679192ed1a5fe0965bd9028cae51fa5b2535782c2b893bfcf0374

SHA512
1749d67fdfd99a8fea89aa87a36bb7b3fb232027941f29ddbfa10b82caf15fb110fa06de0834be035ecfeabcff389199e470fdce79b27a90749437498d9e4f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
64KB

MD5
174fabb07b7d33402cdf60c0deee5cff

SHA1
61b70d8150802a67f03d366e7585b348779a2a44

SHA256
ca30a1ef9b4df3989f148c3d81fd61863aabb087c9c089fd65848fe81546e445

SHA512
431911ab1f7afeb49bb0b11e64ddfa6d6979148b1e2ec0b52d363d89918e58c6876e8a54d5fc774ee627229bf64e6eddd1f49184726177b02ea0c9ce22a3a666

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
1.3MB

MD5
48b82a02c9df71f018c032d95b5fbcc9

SHA1
71af483d155e3425db566c6a4c51f2e12312981d

SHA256
d74f361c9dfb979c2c22ab994adf3ed42f7ca87cd0ee7e53ca176e8c50ac11ce

SHA512
910ced6d3b48371fe2d9d825e9d6a1332fac9f92788e7de52875bd695ce9d1896f01c07045b4c08af6c20455047306b00d04c995e0360fe8c52791643dffaab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
1.1MB

MD5
37ac0bd443708f00f2e7fa34dd4b386c

SHA1
12d4f01d7f08e20846eb14ebe5b8f1f99d1c28fb

SHA256
a878b89aede27e8ceb1d1b36dc76deb60dddf176aa475f5d24db040b827cf024

SHA512
2fb8341ec628ea303bc4339c2563b7e2bead4c45398ffef8015114c7144e0e0829d51d531fbb72ab82c054cfeb76a0c8e536bac55d15da4f5bc987c4e420ce8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
2.8MB

MD5
7b40e391f1ccfd9c7b7bb1e052e42d4e

SHA1
a87a6c8e2f2600ed6424c0de74fceeb31271913b

SHA256
2d324903b695572256bdc3cb4e569ef0585749ef784f6cd70d0438a8ce14baff

SHA512
4bf664d74569fa4f25e8f4965d1fd195c379caaad0cfb22843898426dde6a7cc9dd3ec6e1b879fee115aecea79d3e6536e8faa2a4f1d6da28ffa438f36367bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906140021944.dll
Filesize
3.6MB

MD5
17fe6e1d050c0caa7a165200f40e3493

SHA1
5cc9305f30fdb09b6cfb5bb03e95a154eb440508

SHA256
63fc277f8076d26ca5f989d69bd817c83001937e72fd51bb0fa1d3762f53e204

SHA512
d5a573b96cdf3cf05b336cdb567dfbe0b12f7939a7f835537ec1f4adf101853e9351ce9acca1fcb39e01f3c00220fd22f096bb08d88bd6e83d42ce6cf93b181a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906149393280.dll
Filesize
512KB

MD5
5d58dc17f4109c006781f56fe1861d1d

SHA1
c11b0af967a14f78f4f6d1a7b21e9cc4437e81b5

SHA256
942b23a26b0989c364687958af9e778bc1fb4e33e5ed8b3638fd47fadb1be701

SHA512
a6074bc51ec347c8d697f32a17832fe19ddf9cde320730fab3a68cdc8f42e26c2178998bd831304b852710b487f290370aa689d7c28153c24310b5851456c370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906154394452.dll
Filesize
1.5MB

MD5
7b63ab108a1b4e39bca67b9b75fa0859

SHA1
7bf7f73970040d21d5fee2c8cd6295d9f497e1ff

SHA256
8ad74f545fd6d0bb9a3a36c74d7fcdf99e3679bfc2ee6ba1d08ff4b69835a13f

SHA512
8e51c515004ae2900de97feebe3ad05cb0d49283dfdd1a5abd94c84f608e39e30990932abc44ae5954f911e720571036cb6fa8222f511a4166fe38b0c7e4f320

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906154394452.dll
Filesize
1.6MB

MD5
d87450037838adc2f6c7c9a9ef019ea7

SHA1
b2ab51aa963ce5f8c06b58d50ab7cbe5f6901e0c

SHA256
1983bf9f9532692c90ccfb7e1f57498de7ba6b5ad40bf322136d64c021c579f6

SHA512
4b04e5708706f0b75bd11a5fdb1835b46f42d713db5ad48e2b0dda9dfa4c3d71fb856f098f2b8e19d79a8a04a47a56c48786f57243c127e623ac27eadd5d1d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906157134172.dll
Filesize
1.1MB

MD5
0ae372a079fd6b68d6692c556e8d5ce1

SHA1
196265de4aa73253e5256a6d9f82b75a26465f7c

SHA256
aa117e2a9bf0057ca24fe104691835e9df1ed51b2d5cf7435ffdb6035689849a

SHA512
465682fff035d22729bd4e72975259c5242f7ec93bdd3a08955318253ae5c28dbf120b15131d496feb174988c0fa8efe1cc767a9c0f5ce089eea10a8789e059b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403121906171584952.dll
Filesize
2.3MB

MD5
bfe428cf60091634f8de977865bfaf90

SHA1
8df1e1210f4647f4d7d9c9f26a319a4e340a1479

SHA256
f261354aa74a1a571869667796c1d26903ef522f266a83b6909bb239e7de31df

SHA512
4415d38ba5b1586018717dc382d3b367e8467dfc694c2785da33ea721cf92fc00db2ca57079c051670052650635ca3e497aff48fed93476bc82705757e8e16e5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
7c3f32c65dbc9e482bb7a5a562371ecc

SHA1
f71d64450a1a030e659a2921c80f68b05ee4d4c6

SHA256
4dcb15761d54ee4bc74bf8ece2005736b7b2eba563d44805a875bdb9af73f1f5

SHA512
14ef6e3ed9813d201ff91b6345ff1224fef575ac03b87e85039e08e95060b7ab093e5c2e40c09b5835e236bad7c587881151c12eaaf0c7133048b2ba001c8532

Download Submit
memory/1944-6-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/1944-54-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/3280-56-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/3280-12-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/4172-31-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/4452-27-0x0000000000AA0000-0x0000000000FD4000-memory.dmp

Filesize
5.2MB

Download
memory/4452-26-0x0000000000AA0000-0x0000000000FD4000-memory.dmp

Filesize
5.2MB

Download
memory/4848-59-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4848-55-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4848-0-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4848-2-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4848-1-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/4848-157-0x0000000005DF0000-0x0000000005EF2000-memory.dmp

Filesize
1.0MB

Download
memory/4952-58-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download
memory/4952-35-0x0000000000700000-0x0000000000C34000-memory.dmp

Filesize
5.2MB

Download