47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb

General

Target

47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe
Size

2.0MB
MD5

b7fc8d55b1c78596b6b24d605d2d42a0
SHA1

1ede5fd05bf34afb315fd566e369009c01a262fe
SHA256

47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb
SHA512

8f1fcd86d1f59dce9d66c33829b52b52c72688fd526efdcf9a72bcc8f3d113485cee9a2f580f03b7498f09af20273089207f0f8e1835ce0aef705d71e6b2a10a
SSDEEP

49152:DVAbwuGwKOco09gsJcxlV8fTguPOAItUIrhO5Ov:pApQx5+Mc27g9tfoMv

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3480	setup.exe
1124	setup.exe
3088	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3480	setup.exe
1124	setup.exe
3088	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3480	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3480	2436	47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe	86
PID 2436 wrote to memory of 3480	2436	47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe	86
PID 2436 wrote to memory of 3480	2436	47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe	86
PID 3480 wrote to memory of 1124	3480	setup.exe	90
PID 3480 wrote to memory of 1124	3480	setup.exe	90
PID 3480 wrote to memory of 1124	3480	setup.exe	90
PID 3480 wrote to memory of 3088	3480	setup.exe	93
PID 3480 wrote to memory of 3088	3480	setup.exe	93
PID 3480 wrote to memory of 3088	3480	setup.exe	93

C:\Users\Admin\AppData\Local\Temp\47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe
"C:\Users\Admin\AppData\Local\Temp\47b0f7b7c23510b962f00b4abc2272a2802f56cf2c30b0a53fd18ae9e3d4e2eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\7zS4899CF37\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS4899CF37\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\7zS4899CF37\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4899CF37\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.53 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74cda174,0x74cda180,0x74cda18c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4899CF37\setup.exe

Filesize
5.2MB

MD5
44908c157516d82119d84a3b1c4a31f7

SHA1
dea19891d14b4e3598844f624c919b0dc5ce236f

SHA256
be21539218a31ff278f218a172b9972f4d8978a281387acdadf9a25b86e30b1a

SHA512
5a83d45533202ba573941d041619bd7f17e997f352f73528029d1f07da9a26c4f50f1cf77c822f972b596fa75bd2eeb0bca8170d89343d8b590ba869be058106

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408190001027043480.dll

Filesize
4.7MB

MD5
d7b7e0f7865a3cc624e95cefe2bc205c

SHA1
1352733bfaa54292d1457d3f7a87069c00a1f56f

SHA256
94028494f0c28a14f21179ef4096e0c52f1d022a5ad65b070f0d8584b500b597

SHA512
e5bced68446f702de4236a6f11ec005bc5233915ff689693a1894afe7ea924ca6d6d8ae722b12daa0ee0b4e35223606a55f13b34db648bfb24e96a76e834ff08

Download Submit

Analysis

Sharing