d829d1164deaf2cd403debfb98bb2664f654f72ed1b0e427ee65254bc0b504b9

General

Target

OperaGXSetup.exe
Size

3.1MB
MD5

df877cc1d259bf6744c398b28863e5de
SHA1

8cb0cf8c3e4f1a183db00821d30b29549e50e819
SHA256

d829d1164deaf2cd403debfb98bb2664f654f72ed1b0e427ee65254bc0b504b9
SHA512

b6143b70d283b41c200075d99e1f6967b2f2e2740f33eb3a1baf8f8eeae20e0518d49ad82605561b2f4cabcb0e46eab4212ad3ef3e7e37ebfe0b8e3b058a763b
SSDEEP

49152:hNEyYQPMB2nYlQWY9p/RxOgkDA5/uzsKFuaLU0kOyrRBzfMUNYpoMjw3:vEsY213Rx+87aLU0kPElq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3928	setup.exe
1404	setup.exe
2824	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3928	setup.exe
1404	setup.exe
2824	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3928	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3928	2732	OperaGXSetup.exe	78
PID 2732 wrote to memory of 3928	2732	OperaGXSetup.exe	78
PID 2732 wrote to memory of 3928	2732	OperaGXSetup.exe	78
PID 3928 wrote to memory of 1404	3928	setup.exe	79
PID 3928 wrote to memory of 1404	3928	setup.exe	79
PID 3928 wrote to memory of 1404	3928	setup.exe	79
PID 3928 wrote to memory of 2824	3928	setup.exe	80
PID 3928 wrote to memory of 2824	3928	setup.exe	80
PID 3928 wrote to memory of 2824	3928	setup.exe	80

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\7zSCAA72A27\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCAA72A27\setup.exe --server-tracking-blob=MzE2YTJkYTA5ODMyZGQ1MTM4NzBkMzRlZTE0NDRiZDFhZGRmYTdjOWM1NzRjNDZhN2MxZDIwY2I4YWE1YmU2Yjp7ImNvdW50cnkiOiJVUyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVVTJTI1MjAtJTI1MjBQZXJmb3JtYW5jZSUyNTIwTWF4JTI1MjAtJTI1MjBFTiUyNTIwLSUyNTIwTUtUJnV0bV9jb250ZW50PUFJJTI1MjAtJTI1MjBQZW9wbGUlMjUyME5ldyUyNTIwVmVyc2lvbiZ1dG1faWQ9bXNjbGtpZF83YzNmNDA4N2M5MDAxZjJhZWMwMjI1NTE5ZDQzNWM1YyZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3LmJpbmcuY29tJTJGJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJmRsX3Rva2VuPTMzNzQ1MjI5IiwidGltZXN0YW1wIjoiMTcyMDA0NTk5Ni4wMjAyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IEVkZy8xMjYuMC4wLjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJVUyUyMC0lMjBQZXJmb3JtYW5jZSUyME1heCUyMC0lMjBFTiUyMC0lMjBNS1QiLCJjb250ZW50IjoiQUklMjAtJTIwUGVvcGxlJTIwTmV3JTIwVmVyc2lvbiIsImlkIjoibXNjbGtpZF83YzNmNDA4N2M5MDAxZjJhZWMwMjI1NTE5ZDQzNWM1YyIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6ImJpbmcifSwidXVpZCI6ImFiZjIxMmQzLTJkODEtNDFiOC1iZWQ4LTU0MmU0NzNjNGUzOSJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\7zSCAA72A27\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSCAA72A27\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.54 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x74db1138,0x74db1144,0x74db1150
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCAA72A27\setup.exe

Filesize
6.4MB

MD5
97d3cae40268951e9e8da731c0820f0a

SHA1
34358b04b5fb6c97a94a4bad28bdeed5888b2241

SHA256
e19f63f813df6f8b2d0e6ecc09e91b81caf6d330acde1996296120ae58e67baf

SHA512
ba0c7ab04c8a1ff77c900d9f84e57eb1846e3bd697982884ad8790a65ff6fb8aa19d622368bbd9f8efaf79872d207f3e568e57fe3d7288c912591f7c02adf3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407040416356053928.dll

Filesize
5.9MB

MD5
c6cbf40287bc8a4ec0f0801b8a6905ab

SHA1
5a62c2d2acbcc3bb8bbad3a5913f65b134008966

SHA256
344093a219d1b4ae17ef4a188d87057e0c83c897381a9883eb76b9f06fb08160

SHA512
7704f3d09d2d6b08d624427a950d3a31ba750a3327862b6d96b5e60e3b6450f36860e5f55b5b39ff46b0105d6f6eaec32f344e2beae112757e8c52e359014b15

Download Submit

Analysis

Sharing