5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84

General

Target

5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe
Size

58KB
MD5

c0a01dae624c3b95161dce28717b8ef5
SHA1

2c471be193695b36c355599cbd7b8a2f48495be8
SHA256

5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84
SHA512

53709f2f42b1c7659ed3bfa14228e826b6e8ea5c0afa9acad25e16b99d1fe132da286930e2a58cd91554b36efbb8827ae0eb9435aa4afa8c6fbc972ef01da737
SSDEEP

1536:vIJyprNKNkmXJCOSXIKxH1RAO2MxH1RAOcesHxU:vIJyp5Wk6JoXIUH5H+en

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

OperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
5100	OperaGXSetup.exe
3840	OperaGXSetup.exe
2708	OperaGXSetup.exe
2016	OperaGXSetup.exe
5044	OperaGXSetup.exe
1212	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
1660	assistant_installer.exe
3636	assistant_installer.exe

Loads dropped DLL 5 IoCs

Processes:

OperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exe

pid process

5100 OperaGXSetup.exe
3840 OperaGXSetup.exe
2708 OperaGXSetup.exe
2016 OperaGXSetup.exe
5044 OperaGXSetup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaGXSetup.exeOperaGXSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaGXSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe

description pid process

Token: SeDebugPrivilege 2888 5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe

description	pid	process
Token: SeDebugPrivilege	2888	5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exeOperaGXSetup.exeOperaGXSetup.exeassistant_installer.exe

description	pid	process	target process
PID 2888 wrote to memory of 5100	2888	5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe	OperaGXSetup.exe
PID 2888 wrote to memory of 5100	2888	5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe	OperaGXSetup.exe
PID 2888 wrote to memory of 5100	2888	5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 3840	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 3840	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 3840	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2708	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2708	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2708	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2016	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2016	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 2016	5100	OperaGXSetup.exe	OperaGXSetup.exe
PID 2016 wrote to memory of 5044	2016	OperaGXSetup.exe	OperaGXSetup.exe
PID 2016 wrote to memory of 5044	2016	OperaGXSetup.exe	OperaGXSetup.exe
PID 2016 wrote to memory of 5044	2016	OperaGXSetup.exe	OperaGXSetup.exe
PID 5100 wrote to memory of 1212	5100	OperaGXSetup.exe	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 5100 wrote to memory of 1212	5100	OperaGXSetup.exe	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 5100 wrote to memory of 1212	5100	OperaGXSetup.exe	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
PID 5100 wrote to memory of 1660	5100	OperaGXSetup.exe	assistant_installer.exe
PID 5100 wrote to memory of 1660	5100	OperaGXSetup.exe	assistant_installer.exe
PID 5100 wrote to memory of 1660	5100	OperaGXSetup.exe	assistant_installer.exe
PID 1660 wrote to memory of 3636	1660	assistant_installer.exe	assistant_installer.exe
PID 1660 wrote to memory of 3636	1660	assistant_installer.exe	assistant_installer.exe
PID 1660 wrote to memory of 3636	1660	assistant_installer.exe	assistant_installer.exe

C:\Users\Admin\AppData\Local\Temp\5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe
"C:\Users\Admin\AppData\Local\Temp\5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe" -silent --allusers=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe
C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.93 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x6d854260,0x6d85426c,0x6d854278
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3840

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708

C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5100 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240522014222" --session-guid=9931b6c1-4b6a-4d37-b3b9-55f4ef8baaf2 --server-tracking-blob=NDE1NzdmMGE2MmE1M2FlYTM1YjFmYmI4ZjJlOGQxODA0YTNiNGFhNGYxMDk5NTkzNjAwZDA5ODU4OGYyZmIwNjp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zODQ5JnV0bV9pZD0zYmE2YTYyZWNjMjY0Mjk4OWRlZWU2NDZkNTI5YTU0YyZ1dG1fY29udGVudD0zODQ5X29wZ3g2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxNjM0MjEzOC45MDY3IiwidXNlcmFnZW50IjoiRHJpdmVySHViSW5zdGFsbGVyLzMuNC41IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zODQ5IiwiY29udGVudCI6IjM4NDlfb3BneDY3IiwiaWQiOiIzYmE2YTYyZWNjMjY0Mjk4OWRlZWU2NDZkNTI5YTU0YyIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImViYTY4Njk3LTQ5NDctNGFlYi05NTE0LTk1YWEzZTBiYWQwNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8C05000000000000
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe
C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.93 --initial-client-data=0x29c,0x2a0,0x2b0,0x278,0x2b4,0x6c094260,0x6c09426c,0x6c094278
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5044

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0xf24f48,0xf24f58,0xf24f64
4⤵
- Executes dropped EXE
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405220142221\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2405220142201045100.dll

Filesize
5.2MB

MD5
0b412be3e2d36d61afa7f54e19ae8123

SHA1
d142c12b79e0f7b7440c49ad2fceca7cfbb530a1

SHA256
1f7300aad8fd6d03d00775949c151bc8fbbb901a358274f847aba7fda7b79c6b

SHA512
c9efcdcfb4186dad5a8bd9a6b9e34a31718887881cafbc5161c328ffe1107db113661b06856057dbfa2432673c8f6a954d083e440fa68b3bab2ba8b1a9cd1513

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\OperaGXSetup.exe

Filesize
5.7MB

MD5
db3ac3ea7f922beb8148765d199cb552

SHA1
cea25b67f01fb9b8eccb1cb842c59afa94b1deb1

SHA256
9c93dab5af5595320b5253eb6934bef43174b06fc3a453d833d473138db729af

SHA512
3ec992e96ea3d089363b859eb4bd2cbeb5badb384080d5488cb16066c9908974211a1dd816970d0c0989b4e45e54b5edda95fe27d3e9103329d4b8fc7c48adb4

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
1faa29a9ad0b0ea24986ace67de0e0cd

SHA1
94dd2310356547794d7c87eeb5ed01326c57c92e

SHA256
b62907469c437fa993e4279844213aa65c0d9a4c066bc32fb5d061645cf0012c

SHA512
1494f627dea3388871ea7e94afa629a85b46c372d1f6fe74676bf7ace160b6aaff972c7596579ee69e28c17699914f2e77b92205420a37748240fb237f518a64

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
97dee5c603e595b924487d93ecbccaf7

SHA1
546d03cc29138f38b2d671b549b96653cb7dc425

SHA256
1baf56401066be9f55ba16fe54de4a422e95a9095a7d70c8571952f213b2477e

SHA512
b327e07bbb31462304b0fdf21c8a59ae899bf4c7b16f1cce2ab64b4569bb626926cef0ddacf62408b5acf2fee2b17b75f55d371afc9ee84ec312f7aec12d2234

Download Submit
memory/2888-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2888-2-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/2888-115-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/2888-116-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads