4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89

General

Target

4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe
Size

3.1MB
MD5

fa6a6ae47171ac612b5b6e16096c09b2
SHA1

16f44111c11201c2ef95fba386c0b53b0ec0a545
SHA256

4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89
SHA512

514fcc64fbfc7857753bb11ec76929be51ab32668c711812cddea5d7c9a585b4c86984bdf9ae6a7a218998c8337c2ddf70538c94eb7405e1a0b21f819b974a68
SSDEEP

98304:BAcRTd/kggQSwydThBmnXodHG+z92I0xkZV8zDzSC:ZRTFkg3SwyhsXoRG+zAkZCzDz/

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3900	setup.exe
4324	setup.exe
6100	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3900	setup.exe
4324	setup.exe
6100	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3900	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5196 wrote to memory of 3900	5196	4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe	87
PID 5196 wrote to memory of 3900	5196	4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe	87
PID 5196 wrote to memory of 3900	5196	4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe	87
PID 3900 wrote to memory of 4324	3900	setup.exe	89
PID 3900 wrote to memory of 4324	3900	setup.exe	89
PID 3900 wrote to memory of 4324	3900	setup.exe	89
PID 3900 wrote to memory of 6100	3900	setup.exe	90
PID 3900 wrote to memory of 6100	3900	setup.exe	90
PID 3900 wrote to memory of 6100	3900	setup.exe	90

C:\Users\Admin\AppData\Local\Temp\4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe
"C:\Users\Admin\AppData\Local\Temp\4b3727248da03240398496b39968a722a142977a3239104ac4b83382d8ef0f89.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Users\Admin\AppData\Local\Temp\7zSC44E6793\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSC44E6793\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\7zSC44E6793\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC44E6793\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.104 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74291b54,0x74291b60,0x74291b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC44E6793\setup.exe

Filesize
6.4MB

MD5
b4da1657d31832c9965d54c5037a3402

SHA1
c312863d621b0b5ec9ec930b1db73de3c95f7141

SHA256
563fcd4ca2678ddb6c1366c92aa4daa410d7eba73d68d9336fb967f732770c8d

SHA512
643d2ec57767443e0efcc580a0e5abe062375f34b936daa22aa24e20d837b84854de18f636dc0ca5d100b4309a456746d733a65f8d1ccb173fe590ab5bf99007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408260059274733900.dll

Filesize
5.9MB

MD5
e730bd98eb4754f9c0abd490461fbf1d

SHA1
783ea46e2b4d9e48feda3f9839bfbff40d8cf3ae

SHA256
0129372834853db0b565c20cceb3781a021fd7893d44d045f2ae671477a6a92a

SHA512
579cd23108d9cec9ff29447f89b770ee9308b261968242bf8046a3e4ca01704a2cd40072b6814b18d5e0eaa413033eb369c7a65146b3126be14899b73f634167

Download Submit

Analysis

Sharing