Analysis

  • max time kernel
    134s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/05/2024, 14:38

General

  • Target

    OperaGXSetup(1).exe

  • Size

    5.7MB

  • MD5

    4433c1aafd91585ea93e222e1954e0bc

  • SHA1

    0b3541b7c3a688b9b914ef710a13418d6f1fba2e

  • SHA256

    1ca01074a9eabf046898491b8a45688bcc0c75fe3461a872cd069fba9746198f

  • SHA512

    706a7d3deb44eeaabdb986de6287fffe5e6d82cc7dd8dc3c390f8d4acef9c9071639b7406385c098df1601bb0a3b0bacda87a287159c6ba1f35cb59d9fa74900

  • SSDEEP

    98304:j0NFJ6666666666666666666666666666666x666666666666666fwwwwwwwwwwI:0V8jGykui/8aUooy9hOjFMwSODnQW6vO

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 12 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup(1).exe
    "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup(1).exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\Users\Admin\AppData\Local\Temp\OperaGXSetup(1).exe
      C:\Users\Admin\AppData\Local\Temp\OperaGXSetup(1).exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.100 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x735c4290,0x735c429c,0x735c42a8
      2⤵
      • Loads dropped DLL
      PID:4068
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup(1).exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup(1).exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3780
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      2⤵
      • Executes dropped EXE
      PID:4672
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\assistant_installer.exe" --version
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\assistant_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x250,0x254,0x258,0x224,0x25c,0x1374f48,0x1374f58,0x1374f64
        3⤵
        • Executes dropped EXE
        PID:500
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RepairStep.png" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4304
  • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
    "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2204
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3012
    • C:\Windows\System32\SystemSettingsBroker.exe
      C:\Windows\System32\SystemSettingsBroker.exe -Embedding
      1⤵
        PID:4304
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
        1⤵
          PID:1464
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservice -s SstpSvc
          1⤵
            PID:2300
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
            1⤵
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:3928
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s RasMan
            1⤵
              PID:1920

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                    Filesize

                    2B

                    MD5

                    d751713988987e9331980363e24189ce

                    SHA1

                    97d170e1550eee4afc0af065b78cda302a97674c

                    SHA256

                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                    SHA512

                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                    Filesize

                    233B

                    MD5

                    680373d2d146d59b009c28b62a5bbc58

                    SHA1

                    2b2b93772059593cd7155671510a4ed3f92319d1

                    SHA256

                    ace73bf95e197df880cdcab4b59d01f884717cf1efb45efa2fc9f8308a1759be

                    SHA512

                    d54d6d2ddb5e0ba22a3c3f628404c64011de7a43d8218d6dd3bada7e2ef7141288530918f533788fbaa479df3fa83e0148dd7770d6e98f0d38fd653158268698

                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

                    Filesize

                    2KB

                    MD5

                    404a3ec24e3ebf45be65e77f75990825

                    SHA1

                    1e05647cf0a74cedfdeabfa3e8ee33b919780a61

                    SHA256

                    cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

                    SHA512

                    a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup(1).exe

                    Filesize

                    5.7MB

                    MD5

                    4433c1aafd91585ea93e222e1954e0bc

                    SHA1

                    0b3541b7c3a688b9b914ef710a13418d6f1fba2e

                    SHA256

                    1ca01074a9eabf046898491b8a45688bcc0c75fe3461a872cd069fba9746198f

                    SHA512

                    706a7d3deb44eeaabdb986de6287fffe5e6d82cc7dd8dc3c390f8d4acef9c9071639b7406385c098df1601bb0a3b0bacda87a287159c6ba1f35cb59d9fa74900

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\additional_file0.tmp

                    Filesize

                    1.4MB

                    MD5

                    e9a2209b61f4be34f25069a6e54affea

                    SHA1

                    6368b0a81608c701b06b97aeff194ce88fd0e3c0

                    SHA256

                    e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

                    SHA512

                    59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405271439021\assistant\assistant_installer.exe

                    Filesize

                    1.8MB

                    MD5

                    4c8fbed0044da34ad25f781c3d117a66

                    SHA1

                    8dd93340e3d09de993c3bc12db82680a8e69d653

                    SHA256

                    afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

                    SHA512

                    a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

                  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

                    Filesize

                    40B

                    MD5

                    43ba7d95112f2ccc156a2130cd19c31c

                    SHA1

                    484f4c14722d0b88f97356946394a71f87497dde

                    SHA256

                    b25addbe9fbe9e3200db8f177c18c45fa452d23f6e976fba32e889158b57c297

                    SHA512

                    813524446ba97901c40cfd2ea22869cb296f918be05e082a2e99e999b55aefad250187277316b17bcc2f0811f4c66c46fe5307d3551faa656f3cb52499d4d07b

                  • C:\Windows\INF\netrasa.PNF

                    Filesize

                    22KB

                    MD5

                    80648b43d233468718d717d10187b68d

                    SHA1

                    a1736e8f0e408ce705722ce097d1adb24ebffc45

                    SHA256

                    8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

                    SHA512

                    eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

                  • \Users\Admin\AppData\Local\Temp\Opera_installer_240527143902200204.dll

                    Filesize

                    5.2MB

                    MD5

                    623dcca5a87dda60785b7b534eb7b621

                    SHA1

                    f9bd7545c032221b085202d5aa1e44846df57652

                    SHA256

                    f675607a12ff20d454c79bcc36c9bc2ca6760f49a6c79e3023e949b96d04f67a

                    SHA512

                    d44e2c9d2edd7bfd0aea64071ecec88b871a5af2e5d4c41ce1ba36dcf2e094d5546dcce73779a41ba528ce8265aaa1bba33e21ba1fd92caab01f43e79b0d6bfd