38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b

General

Target

38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe
Size

3.1MB
MD5

0704bfe2893b2e60d00b625ab51ef65b
SHA1

eac189e79ae1496b33747a8524abce5dccd85acd
SHA256

38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b
SHA512

682dc19f8cc9001221526894721ae44707ee72de0bde990fed952edda8cf1018f768ab2abd84823f58396851292c69a84a65819186a6b17adcb55c3acf67887f
SSDEEP

49152:sVAbw8VyRPkVwSdyKE6a8anqApzEVZnk8m0Uf89+zvi1QXsy4TpM+DWUl+n1aso:gA7VyRPS7MLq4ykF09+riyXWz6Ha

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3092	setup.exe
532	setup.exe
2024	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3092	setup.exe
532	setup.exe
2024	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3092	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3092	4988	38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe	85
PID 4988 wrote to memory of 3092	4988	38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe	85
PID 4988 wrote to memory of 3092	4988	38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe	85
PID 3092 wrote to memory of 532	3092	setup.exe	88
PID 3092 wrote to memory of 532	3092	setup.exe	88
PID 3092 wrote to memory of 532	3092	setup.exe	88
PID 3092 wrote to memory of 2024	3092	setup.exe	89
PID 3092 wrote to memory of 2024	3092	setup.exe	89
PID 3092 wrote to memory of 2024	3092	setup.exe	89

C:\Users\Admin\AppData\Local\Temp\38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe
"C:\Users\Admin\AppData\Local\Temp\38a7ee227c2402f5ace5e6b53c6c51f4f51a8b8dc1f9977381ff6ae41c1e316b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\7zSC737F3C7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSC737F3C7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\7zSC737F3C7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC737F3C7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.60 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x74131b54,0x74131b60,0x74131b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC737F3C7\setup.exe

Filesize
6.4MB

MD5
607fb47ad9d20bb16f90e4a38c93bbfe

SHA1
578ea8b4bd0bbd32114bfd61910118c3d9cfc355

SHA256
8a82ae5c857123cc6972b93828f3a6202c0db4d325ea6d5b1e36dcfb290c1e09

SHA512
23470d0aa5989132efa1fcd4b1d183374384e3b75249910c08e22d2fedf315f084028b7299d6f6c0a5230b2ec78179485d0f187d0a87f710d25f1eac81939e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408190000250113092.dll

Filesize
5.9MB

MD5
1e6485e90130bb0cffd2ae2ca7fef2a2

SHA1
b9c01fddb3921b6f56d8d774eb0364f7024428e8

SHA256
907cb59383443ce62fdcd2eb90e4bf32cf3a0de6078e708f694dfc7bd7166b5b

SHA512
e28ec73e1465591827f092b71ab740a8de0b7ffcf5af0b3e4c1c8be37f16f1a87ae4fdfe23c25a305741a5aaf30fd2aab77f55061eb729f0dc5e64aef3dd6527

Download Submit

Analysis

Sharing