Analysis

  • max time kernel
    104s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 17:56

General

  • Target

    $TEMP/op.exe

  • Size

    140KB

  • MD5

    914343b1c1b811097a1e3d7ccfae2de5

  • SHA1

    b55395baafd8fd2e1e1fdbc9af0ac99d02d1dc5a

  • SHA256

    11522bff74b3badb21250c85358252f450080ae87a94eb92760eed31160d5962

  • SHA512

    81fc0152f9799dae089f696e63ec322d583a363276a383b4afffd19d385528e0e3221a966487d9a8d6b572e8cd24672a2f589ff23074e3b6d3b60d79d609ba31

  • SSDEEP

    3072:jkszWOITsEL50jl7yVCOMaFLB+zzYTih+xs6HH6kr5LGErzn7NtSI:fzZZhOM4B+z0Tih+RH9NLG0rnh

Malware Config

Signatures

  • Downloads MZ/PE file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"
    1⤵
    • Downloads MZ/PE file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5768
    • C:\Users\Admin\AppData\Local\Temp\opera.exe
      "C:\Users\Admin\AppData\Local\Temp\opera.exe" -gm2 /silent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
        C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe -gm2 /silent --server-tracking-blob=MDBjNzg3MmIxZjY0MmZhNmJiYzFhMTM5YWU3Y2MzYmU4ODNkZjZjMWRhNzE1MjBkMWJkYzZjODJjMTUzZWUxNTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJ0aW1lc3RhbXAiOiIxNzUxNjUxODI4LjQyNTQiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik5JX2NhbXBhaWduIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJhbHcifSwidXVpZCI6IjNhNWJkMzA2LWZlZTctNGI2NS1iY2I0LTk4YzZlMzMzZTYwNyJ9
        3⤵
        • Downloads MZ/PE file
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
          C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffbed70acc8,0x7ffbed70acd4,0x7ffbed70ace0
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:5936
        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1256
        • C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_20250704175710" --session-guid=d7576328-f098-4910-afc7-df27f531b217 --server-tracking-blob="ZjEyMGVhNGEzNTcwNWNmMDQ2M2VjODZiNDE5YzFmNzFlNGEyMWRmYjk2YTE4NzYzY2E5MzNlNjE0NjkxNGUzMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NTE2NTE4MjguNDI1NCIsInVzZXJhZ2VudCI6Ik5TSVNfSW5ldGMgKE1vemlsbGEpIiwidXRtIjp7ImNhbXBhaWduIjoiTklfY2FtcGFpZ24iLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFsdyJ9LCJ1dWlkIjoiM2E1YmQzMDYtZmVlNy00YjY1LWJjYjQtOThjNmUzMzNlNjA3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2407000000000000
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:5288
          • C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
            C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffbec69acc8,0x7ffbec69acd4,0x7ffbec69ace0
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2252
        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3128
        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
            "C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xcc103c,0xcc1048,0xcc1054
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3280

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

          Filesize

          471B

          MD5

          75e48cbe4fb10be793d947d415d1cd8a

          SHA1

          02bf3664f1f3dab5fff8138f272f27a1ffa9c69d

          SHA256

          d2df970c30a798d2eaa1d45c8ca63c54e81b983f70198fac204e5c5e9032b0de

          SHA512

          5ebaa34b9132e93713e13d4bebb629b2859d61307bafd981ea41b7fe04346e98d5c74d433eb872db528d846c4507aace117bcd019312b675bd0ba8b42d117360

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

          Filesize

          412B

          MD5

          d02d918d559395e050ff11b1f82d3465

          SHA1

          20d8a0ccf10ba74d55bde504986ce13ab72c45b3

          SHA256

          02f5a9c2708d5b4d37f8c1fb5bfb05453b19fe9fe782e9a8ffb5eb34cf3a3dc0

          SHA512

          722f7c477c7049207e8360a0b3197546b823804a076bdf26fe939ff9ade9686daeafe2f99e514e13dca3ad5c41bae39a5377476e89bbd6cee3a5a3d56651b7e5

        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe

          Filesize

          2.5MB

          MD5

          4125c9a1d68d6f095316d878dce498c3

          SHA1

          d5a9de9d1d21dfbc6de97f2e7c34629f165f139a

          SHA256

          1faa84af9c9ee61d4550dc8a279434c3f0c9ebea44e6af27c5743af7c59e9ec3

          SHA512

          5dedc6658d786e572438a39a6aa2845881b0469620d2ffa1c228a2fed5b98aa25070bf9e263c25859519427371f7aff7c43705148e11c3f0b54832015813e1f9

        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

          Filesize

          2.1MB

          MD5

          4bf8672d6eecf868b0a0c2d683c35c96

          SHA1

          226f1f9fc47cc31ac1d68645a096dce1b9af7282

          SHA256

          18f66585e1a7ade0b7cbcfb85166b6ed88c07af404dc0cf799254d27bff35b30

          SHA512

          d54c2a95452f8576e8ee3d8baa9e50f493ec8786942ecc531238c91269d77454d7e6834bc06a486b75dd0fca5714a501d7a28873a383570096915c7561507dce

        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbgcore.dll

          Filesize

          166KB

          MD5

          2cf4691a651e3afc585f5227865e7dab

          SHA1

          3e6508820092c2553b36c32c638b64255c7d3a56

          SHA256

          fd4bbed8ee00d7f822358977dbdd217d9a9b6520c7c1a09da5ebf423e80ccbd6

          SHA512

          4d56799803092847e1600e5fff1121014419240e19b87f1a24f23295983bcd1fd171e87405d2f9aa2e8a3045b9f0f94965779c752856f0653d2516dcb41915c2

        • C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbghelp.dll

          Filesize

          1.7MB

          MD5

          5e88bb8a68114b6250413ea5b4bc3067

          SHA1

          9e595e9dfc5530afa875efa0f22f52bfc6eceb53

          SHA256

          bc3e01917c3973b4c3f6c1bae281db643fdea6d7c806fb9c404d714ad34036db

          SHA512

          2fb9ebbd204710f05a07dd9176deffc4898b1058b9e1462da6737520148955fe836de06105832700dc8d44759c61f7757a1907465a72b6b78a809de96a253da8

        • C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

          Filesize

          7.2MB

          MD5

          5aa3b05f75e59cef0ad11c2a91a00c4f

          SHA1

          ff061125a854ec3e3ec81e0bdfb6dfba9591ee88

          SHA256

          3e6a2e38a7efdd97b9e1d11eaa8ae7dfc38d53246c067553f8e349708dd4c18d

          SHA512

          92c9a97c08aac5e862946f54c429cf3e5341e09a0c26f91caab74d9e5598aecf35c93fafce56381c0c5d05ab5b34ec9808454a536dd19f20336ff0641d7298bf

        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2507041757100874940.dll

          Filesize

          6.6MB

          MD5

          d2607250e2382325859c6a3abe7fdbe1

          SHA1

          5f9fc893fe2fb45970980d501b47e0b5e206b3b4

          SHA256

          f358970157c32b572f69215adb47d0b4d3ca2ef8c81eaea7d4b4a3a34bd6db5c

          SHA512

          f47ae1737e140278d495810d49e9ac7d3735167683fb3455b161ca158536903d0266fcffc9979d7b8c610a53f5d07a9b554f56f97f76451c2a34834a9cd24be0

        • C:\Users\Admin\AppData\Local\Temp\nssB21B.tmp\inetc.dll

          Filesize

          58KB

          MD5

          34aafdcc9ba1a2acc6d6fe9ca347ac7b

          SHA1

          23a4f3ea483d8643d427b29ed92af8253c0d3e6b

          SHA256

          baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd

          SHA512

          1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

        • C:\Users\Admin\AppData\Local\Temp\opera.exe

          Filesize

          2.5MB

          MD5

          32ab89ac4378f082af8c831586254701

          SHA1

          e79bbdd9505eb7708e346ab0fa2dcc132dcd5788

          SHA256

          24777a723a1fb79a51bf6a635d7bbca38bc25cbfdc9372892fca2af174356f96

          SHA512

          3c7e0655c36f065bec390218b27063b29599921de82b656a646f94d3f2969852898a4e0b588eaf9ee5079d5be7933c03ac63bf44857b0d5df7780e6b4c076cd1

        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

          Filesize

          40B

          MD5

          6f25bc28daf2fbf9644a6f5df874f89d

          SHA1

          df74f805cdfe97d9c1efb38353edfbc576569eeb

          SHA256

          3faaf0ba2a22bee2f5d0dbb67fbea4cd48573ab027145917c21aee906607089c

          SHA512

          c42b06479cac848e2e36c2519c6def1feebbcdca0109498b5e194afa703e0619546547d235d3c0b014219428b61fe05b5e21acd52db3842fa692079a5e0e725a