Overview

overview

7

Static

static

3

OperaGXSetup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OperaGXSetup.exe

  • Size

    5.7MB

  • MD5

    8129d803df449a85ee20f221451c4982

  • SHA1

    87d55c03b9346c7aa2d4bb8510d04be5f26ce3ef

  • SHA256

    c548bd46802e558e3f5119e53948f620881ac8dfefc4647a70b1395f1163ee63

  • SHA512

    d6227e8ff2237765124ba17d8ba7907e8faa1c32363189dc1c2f73186ea649d2fed35dd3f18138457739b50d2aeeec8088a45af853335468fda75c99deaafdde

  • SSDEEP

    98304:y0NFx6666666666666666666666666666666x666666666666666fwwwwwwwwww4:BdUcT+ApWkdjQgmg7Ynn30jpKca6iPdR

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
      C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x756c4208,0x756c4214,0x756c4220
      2⤵
      • Loads dropped DLL
      PID:4964
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3460
    • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1680 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240428144403" --session-guid=f26ba49b-8c0f-4cc8-b7c2-1639bfeb94b1 --server-tracking-blob="ZDVjZGVhYWZkOThmOWQyNmNkY2ExMzQ4NTFjNzA3OWY1YWNiNGYyY2I0ZWMzMGQ5NzhmN2FiZDkwZDYxYmY3Mjp7ImNvdW50cnkiOiJJTiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1Mb290bGFicyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1Mb290bGFic19JTiZ1dG1fY29udGVudD0xMDIyMDMxJnV0bV9pZD0xODI1NzA4MTYzMTY0NzI1MiZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGbG9vdC1saW5rLmNvbSUyRiZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPWxvb3QtbGluay5jb20lMkYmZGxfdG9rZW49MjM5NzUzMTUiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTQzMTUzNTAuODEyNSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjQuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Ikxvb3RsYWJzX0lOIiwiY29udGVudCI6IjEwMjIwMzEiLCJpZCI6IjE4MjU3MDgxNjMxNjQ3MjUyIiwibGFzdHBhZ2UiOiJsb290LWxpbmsuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6Ikxvb3RsYWJzIn0sInV1aWQiOiI2YzFhOGEyNi04ZGZjLTRlYmYtOWZiMS1jMTNjOTkwZmE1MzUifQ== " --desktopshortcut=1 --wait-for-package --initial-proc-handle=0407000000000000
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2b0,0x2b4,0x2b8,0x27c,0x2ac,0x72db4208,0x72db4214,0x72db4220
        3⤵
        • Loads dropped DLL
        PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
    Filesize

    5.7MB

    MD5

    8129d803df449a85ee20f221451c4982

    SHA1

    87d55c03b9346c7aa2d4bb8510d04be5f26ce3ef

    SHA256

    c548bd46802e558e3f5119e53948f620881ac8dfefc4647a70b1395f1163ee63

    SHA512

    d6227e8ff2237765124ba17d8ba7907e8faa1c32363189dc1c2f73186ea649d2fed35dd3f18138457739b50d2aeeec8088a45af853335468fda75c99deaafdde

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281444024401680.dll
    Filesize

    5.2MB

    MD5

    d9381da82bb61f1c9a062efc9cd97ad1

    SHA1

    5735dd07793e53d0a03e71460f28758e4d723044

    SHA256

    9d3843246ca4774fcefe7c55fa90018c661a0e54c6f92f9d24aebfa07124b519

    SHA512

    bba0b159e90ea1eec4e2f1798500e6ca482a0b583142b11da530fb86a3fdee2fd9a17b7ba020d3ab2a49cc0a603e29533b811246c345c996ae753b16671dfd91

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat
    Filesize

    40B

    MD5

    e6cc5d5223ed9c18096afc5be4495c27

    SHA1

    18c27f1821ade5942c09a2bd4bd82e07ceda9d5d

    SHA256

    c7baec01395d0d301e27a4f9bbff32b0ad55aa2eae8389f627f1e59dd15f3a09

    SHA512

    a5062c8ff0a2203a915eab657fb014cf4741a28bf478f53e8484b95496e438c7aa58e9d7622f5ac83927845a7f5f413042acc3df9ef1df80846a771d8e090230

    Download Submit