4669eac236666fa63c3aed887b0b078687eb7330bfe5c382f11b79aea6701ff5

General

Target

OperaGXSetup.exe
Size

3.4MB
MD5

7b72f800405aba0b9f96d566b15d2f32
SHA1

426b8e0438a4f01ea14868c8a00dbb66d23d9c95
SHA256

4669eac236666fa63c3aed887b0b078687eb7330bfe5c382f11b79aea6701ff5
SHA512

675526c5dff951884aec0e1ee119a63bf6cf3509a36e9574857ceee0bb25d3cafac583f17c91b2b5f18535f8fa468f83f060f84d85ab98126fa0c29841346351
SSDEEP

98304:FWWQhQcezmxBQsvVy41p/pD+xYeo0M7XZA+cX5CE1azrBLrUFE:FWBezgBLYQ/9+A0oZ+knd

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2116	OperaGXSetup.exe
4724	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
3140	assistant_installer.exe
1112	assistant_installer.exe

Loads dropped DLL 3 IoCs

pid	Process
3220	OperaGXSetup.exe
368	OperaGXSetup.exe
2116	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3220-0-0x0000000000DD0000-0x0000000001390000-memory.dmp	upx
behavioral1/memory/368-7-0x0000000000DD0000-0x0000000001390000-memory.dmp	upx
behavioral1/files/0x000700000002320d-12.dat	upx
behavioral1/memory/2116-14-0x0000000000670000-0x0000000000C30000-memory.dmp	upx
behavioral1/memory/2116-18-0x0000000000670000-0x0000000000C30000-memory.dmp	upx
behavioral1/memory/3220-36-0x0000000000DD0000-0x0000000001390000-memory.dmp	upx
behavioral1/memory/368-37-0x0000000000DD0000-0x0000000001390000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3220	OperaGXSetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 368	3220	OperaGXSetup.exe	88
PID 3220 wrote to memory of 368	3220	OperaGXSetup.exe	88
PID 3220 wrote to memory of 368	3220	OperaGXSetup.exe	88
PID 3220 wrote to memory of 2116	3220	OperaGXSetup.exe	89
PID 3220 wrote to memory of 2116	3220	OperaGXSetup.exe	89
PID 3220 wrote to memory of 2116	3220	OperaGXSetup.exe	89
PID 3220 wrote to memory of 4724	3220	OperaGXSetup.exe	101
PID 3220 wrote to memory of 4724	3220	OperaGXSetup.exe	101
PID 3220 wrote to memory of 4724	3220	OperaGXSetup.exe	101
PID 3220 wrote to memory of 3140	3220	OperaGXSetup.exe	103
PID 3220 wrote to memory of 3140	3220	OperaGXSetup.exe	103
PID 3220 wrote to memory of 3140	3220	OperaGXSetup.exe	103
PID 3140 wrote to memory of 1112	3140	assistant_installer.exe	104
PID 3140 wrote to memory of 1112	3140	assistant_installer.exe	104
PID 3140 wrote to memory of 1112	3140	assistant_installer.exe	104

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.60 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x74b96214,0x74b96220,0x74b9622c
  2⤵
  - Loads dropped DLL
  PID:368
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x504f48,0x504f58,0x504f64
    3⤵
    - Executes dropped EXE
    PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
768KB

MD5
875a49102908f34de934f29b1232d545

SHA1
d1b7af561deeff147f3c9b83a38007fae50889cb

SHA256
afd7602d14aa4be1605f4cf53a9bc35fb578f4d3b4458099e75e28e5dd22a6a1

SHA512
a0432562c97f487d173edc006ee15b22c859d4e22dfb226be03b48fdfb3ef9c0b5606946bd3e99a29ea6417a605d06ff981980efaf6d671586d2140c6d4bdbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202403131632231\opera_package

Filesize
131.5MB

MD5
207087be43261aa831dd9b0e1eb1b590

SHA1
461ec26386b88b6be541bc1c9bffd7a5acb5597a

SHA256
b71b7191e94ab072654f8ba078c58c6acaf87d0eee7e0439cabe8c0d40e44041

SHA512
1b0021ba91f3f107ddb7b6ccf356f75af175a41d51d199ef65c2f24678699c5fd0e91f26e238537a5b0a71ae0f6029c61353d55a0c1ed437b5b7631cb3b1ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403131632224343220.dll

Filesize
5.2MB

MD5
4456ddd14396b65c135891e14b5b5773

SHA1
5c4e293cb9c5611756dfe7ca8804bce61de524d3

SHA256
cda5f96c77024954e0faed3f7028192cba05b34de187586e26cc64b84782a8c8

SHA512
e694759fd4a0193e46d29fc04b563979e63ab3ed0b0216f22eacc0b10dd8effe0417f6695a82fab64ab312366c2388c1589a2cdbb1f0d08186cbaec6ffb1e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403131632233092116.dll

Filesize
2.9MB

MD5
00626e8483afd8214a9528e9d8873415

SHA1
eda2796434f27ed1c1f12c5c65c1a8eb5f8ad15e

SHA256
9755a80adc840c5850d05070a8282e482af6f0d87b6b3a97b2221641bb55ff97

SHA512
a36298d6bcf2f4ca20de85db4d45c8d1dc2249783cc348183207cce9288c18d426b624c2b3e56571b9712c14d0b14f473dc6a5b06593c219c9c075fbf865fcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403131632233092116.dll

Filesize
128KB

MD5
4e19be02f76e72f743093792a506fd1b

SHA1
2519290fae3ac66a139380f0d24ffc533aa24473

SHA256
18541e4e50db5683987a04113840927edfaa8b15dfff6bbc97728e1af690cc96

SHA512
2645407be66463076754d52e9cfebec6092c899f6844c3aef3e4895446f8bf58a6c60bb1f106849ccf78e4399b0c07790fb0677918e50774341504a16bc86797

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
ebf01581893cbcb43d744e2b940e352b

SHA1
434ffc4c1d4256e9c1152776252ee255f55cfdde

SHA256
664878ca4b7045afeccff58a2a17958abc89bcef028db257b365eec997030078

SHA512
66c2cfa25612fcd097f3e51e6420be45380740f9a8d33475a8a7533043414c03378c66b68a834fada50a6b6dadf141dfd8b0f7a807a8d6c16cf2fc3c2bdb5efa

Download Submit
memory/368-37-0x0000000000DD0000-0x0000000001390000-memory.dmp

Filesize
5.8MB

Download
memory/368-7-0x0000000000DD0000-0x0000000001390000-memory.dmp

Filesize
5.8MB

Download
memory/2116-18-0x0000000000670000-0x0000000000C30000-memory.dmp

Filesize
5.8MB

Download
memory/2116-14-0x0000000000670000-0x0000000000C30000-memory.dmp

Filesize
5.8MB

Download
memory/3220-36-0x0000000000DD0000-0x0000000001390000-memory.dmp

Filesize
5.8MB

Download
memory/3220-0-0x0000000000DD0000-0x0000000001390000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing