8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452

General

Target

8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe
Size

3.1MB
MD5

9cb98492fca978dfb1f51e87bfc9064d
SHA1

6e44d3e9eb0525de20fe57d2adec75b5af990583
SHA256

8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452
SHA512

f4f1e582b8872dfb9421858d21d77371d1768bd89eacb722d94184c5a11d2d73e5e2c8014340a1ceaf7b2d283d1abbdef946d72cda3b995a2a8840fedc139a22
SSDEEP

49152:wVAbw8VyRPkVwSdyKE6a8anqApzEVZnk8m0Uf89+zvi1QXsy4TpM+DWUl+n1aso:cA7VyRPS7MLq4ykF09+riyXWz6Ha

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3248	setup.exe
2456	setup.exe
1216	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3248	setup.exe
2456	setup.exe
1216	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3248	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3248	2224	8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe	85
PID 2224 wrote to memory of 3248	2224	8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe	85
PID 2224 wrote to memory of 3248	2224	8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe	85
PID 3248 wrote to memory of 2456	3248	setup.exe	88
PID 3248 wrote to memory of 2456	3248	setup.exe	88
PID 3248 wrote to memory of 2456	3248	setup.exe	88
PID 3248 wrote to memory of 1216	3248	setup.exe	89
PID 3248 wrote to memory of 1216	3248	setup.exe	89
PID 3248 wrote to memory of 1216	3248	setup.exe	89

C:\Users\Admin\AppData\Local\Temp\8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe
"C:\Users\Admin\AppData\Local\Temp\8ca05742f8244f60e5b3833752e1b86277572c61fac7854abc1fae96000c3452.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\7zS0B81A5B7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0B81A5B7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\7zS0B81A5B7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS0B81A5B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.60 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74f01b54,0x74f01b60,0x74f01b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0B81A5B7\setup.exe

Filesize
6.4MB

MD5
607fb47ad9d20bb16f90e4a38c93bbfe

SHA1
578ea8b4bd0bbd32114bfd61910118c3d9cfc355

SHA256
8a82ae5c857123cc6972b93828f3a6202c0db4d325ea6d5b1e36dcfb290c1e09

SHA512
23470d0aa5989132efa1fcd4b1d183374384e3b75249910c08e22d2fedf315f084028b7299d6f6c0a5230b2ec78179485d0f187d0a87f710d25f1eac81939e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408182344270523248.dll

Filesize
5.9MB

MD5
1e6485e90130bb0cffd2ae2ca7fef2a2

SHA1
b9c01fddb3921b6f56d8d774eb0364f7024428e8

SHA256
907cb59383443ce62fdcd2eb90e4bf32cf3a0de6078e708f694dfc7bd7166b5b

SHA512
e28ec73e1465591827f092b71ab740a8de0b7ffcf5af0b3e4c1c8be37f16f1a87ae4fdfe23c25a305741a5aaf30fd2aab77f55061eb729f0dc5e64aef3dd6527

Download Submit

Analysis

Sharing