1cc417c05d1a0ffc1f480e33158fb8230c093ab22b1bc90371e189ab8aaf96a1

General

Target

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe
Size

43KB
MD5

d406ce5200488ab3fb725bbd16324864
SHA1

f7f619307ec9b463abfc7ede001274d12cdc447e
SHA256

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974
SHA512

461822da36db093cae46ab3b1a5fa34617f9fb37bec97c38c33efd134c61df75fecc3192442005645c30c411d6e0eedff6d130c053d80ad557064df12c89a883
SSDEEP

768:XIeRwUuo7jHzx2ET1RVfyCSUz2rx2ET1RVfyCSUzcA20I2BDWNAMxkEQp:1RTuCxH1RAO2rxH1RAOcAsCWFx6

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
2196	OperaSetup.exe
1404	OperaSetup.exe
4344	OperaSetup.exe
1360	OperaSetup.exe
684	OperaSetup.exe
3392	Assistant_109.0.5097.45_Setup.exe_sfx.exe
3800	assistant_installer.exe
2708	assistant_installer.exe

Loads dropped DLL 9 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exe

pid	process
2196	OperaSetup.exe
1404	OperaSetup.exe
4344	OperaSetup.exe
1360	OperaSetup.exe
684	OperaSetup.exe
3800	assistant_installer.exe
3800	assistant_installer.exe
2708	assistant_installer.exe
2708	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe	upx
behavioral2/memory/2196-6-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1404-12-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/4344-23-0x0000000000940000-0x0000000000E74000-memory.dmp	upx
behavioral2/memory/4344-27-0x0000000000940000-0x0000000000E74000-memory.dmp	upx
behavioral2/memory/1360-30-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/684-37-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/2196-74-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1404-75-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1360-76-0x0000000000060000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/684-79-0x0000000000060000-0x0000000000594000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

description pid process

Token: SeDebugPrivilege 5048 28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

description	pid	process
Token: SeDebugPrivilege	5048	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exeOperaSetup.exeOperaSetup.exeassistant_installer.exe

description	pid	process	target process
PID 5048 wrote to memory of 2196	5048	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 5048 wrote to memory of 2196	5048	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 5048 wrote to memory of 2196	5048	28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe	OperaSetup.exe
PID 2196 wrote to memory of 1404	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 1404	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 1404	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 4344	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 4344	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 4344	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 1360	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 1360	2196	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 1360	2196	OperaSetup.exe	OperaSetup.exe
PID 1360 wrote to memory of 684	1360	OperaSetup.exe	OperaSetup.exe
PID 1360 wrote to memory of 684	1360	OperaSetup.exe	OperaSetup.exe
PID 1360 wrote to memory of 684	1360	OperaSetup.exe	OperaSetup.exe
PID 2196 wrote to memory of 3392	2196	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2196 wrote to memory of 3392	2196	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2196 wrote to memory of 3392	2196	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2196 wrote to memory of 3800	2196	OperaSetup.exe	assistant_installer.exe
PID 2196 wrote to memory of 3800	2196	OperaSetup.exe	assistant_installer.exe
PID 2196 wrote to memory of 3800	2196	OperaSetup.exe	assistant_installer.exe
PID 3800 wrote to memory of 2708	3800	assistant_installer.exe	assistant_installer.exe
PID 3800 wrote to memory of 2708	3800	assistant_installer.exe	assistant_installer.exe
PID 3800 wrote to memory of 2708	3800	assistant_installer.exe	assistant_installer.exe

C:\Users\Admin\AppData\Local\Temp\28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe
"C:\Users\Admin\AppData\Local\Temp\28050c06cb9377a1f54773370b24723e0d2849b5b71899bed40b9da7837f2974.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" -silent --allusers=0 --otd="utm.medium:apb,utm.source:RSTP,utm.campaign:op266"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c0,0x300,0x6db21184,0x6db21190,0x6db2119c
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4344

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2196 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419164704" --session-guid=e99b8a95-f435-4884-a597-ec70fc7c719a --server-tracking-blob="M2Q0NmJiMmI5ZTcwZDQ3ZWYwYmY2NjE3M2VhYTg3YzY5YzVhMjI0NDY4NzgwNzM4ZmU0ZDkxODAxM2FiNWFiYjp7ImNvdW50cnkiOiJSVSIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MDg0MjgxODYuNDMwMiIsInVzZXJhZ2VudCI6IldnZXQvMS4xOS41IChsaW51eC1nbnUpIiwidXRtIjp7ImNhbXBhaWduIjoib3AyNjYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJmYWU5YWRmNi1iNWQ2LTQ1N2EtODlmOS0wZjk0YzgwMDE0Y2QifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B005000000000000
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c481184,0x6c481190,0x6c48119c
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x1186038,0x1186044,0x1186050
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\additional_file0.tmp
Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
976bc8e5fe65f9bb56831e20f1747150

SHA1
f9e7f5628aaaabed9939ef055540e24590a9ccfb

SHA256
f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0

SHA512
2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\dbgcore.DLL
Filesize
166KB

MD5
9ebb919b96f6f94e1be4cdc6913ef629

SHA1
31e99ac4fba516f82b36bd81784e8d518b32f9df

SHA256
fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119

SHA512
a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\assistant\dbghelp.dll
Filesize
1.7MB

MD5
544255258f9d45b4608ccfd27a4ed1dd

SHA1
571e30ceb9c977817b5bbac306366ae59f773497

SHA256
3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68

SHA512
2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191647041\opera_package
Filesize
103.8MB

MD5
5014156e9ffbb75d1a8d5fc09fabdc42

SHA1
6968d1b5cec3039e53bbbedeee22e2d43d94c771

SHA256
7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

SHA512
bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaSetup\OperaSetup.exe
Filesize
2.8MB

MD5
7b40e391f1ccfd9c7b7bb1e052e42d4e

SHA1
a87a6c8e2f2600ed6424c0de74fceeb31271913b

SHA256
2d324903b695572256bdc3cb4e569ef0585749ef784f6cd70d0438a8ce14baff

SHA512
4bf664d74569fa4f25e8f4965d1fd195c379caaad0cfb22843898426dde6a7cc9dd3ec6e1b879fee115aecea79d3e6536e8faa2a4f1d6da28ffa438f36367bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404191647033812196.dll
Filesize
4.6MB

MD5
e0c1954fefffbaba33bf88088a5cb4fc

SHA1
c271a74a2c828b829de71482537b9723c9c9de40

SHA256
77c3f13ea98f68c966cc6c4f5a40f14c8a877d421219b8f77e08f6e88c79dcd1

SHA512
8e4c1f84f2247548012a78a2df84b947b589c4b60f6729e4bbebd4f6cf14dd31dbf19d4ff623f3a80f8d5d88f34bc99165d649e8fabadf3a14808a93f55c5f24

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
3617ef7ca0718e13a9aa24986f0aaba0

SHA1
954bcb5687f194dac1af785a7b23dc77c093d8ab

SHA256
e4818e7f6fe971f56a2dbb244f804957351dfa795591c37eeb57ee1cc38b919b

SHA512
5938d93d8254d6395314b37c44d7a5598a950a9666bdc289d16034f42c678d5f2e7032243507cb826998ff321dd4e1337ffa4ad4e5bee16798cd03749bfa4cf5

Download Submit
memory/684-37-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/684-79-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/1360-76-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/1360-30-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/1404-12-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/1404-75-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/2196-74-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/2196-6-0x0000000000060000-0x0000000000594000-memory.dmp

Filesize
5.2MB

Download
memory/4344-23-0x0000000000940000-0x0000000000E74000-memory.dmp

Filesize
5.2MB

Download
memory/4344-27-0x0000000000940000-0x0000000000E74000-memory.dmp

Filesize
5.2MB

Download
memory/5048-80-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/5048-0-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/5048-2-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5048-1-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/5048-125-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads