Analysis

  • max time kernel
    100s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 17:56

General

  • Target

    $TEMP/op.exe

  • Size

    140KB

  • MD5

    914343b1c1b811097a1e3d7ccfae2de5

  • SHA1

    b55395baafd8fd2e1e1fdbc9af0ac99d02d1dc5a

  • SHA256

    11522bff74b3badb21250c85358252f450080ae87a94eb92760eed31160d5962

  • SHA512

    81fc0152f9799dae089f696e63ec322d583a363276a383b4afffd19d385528e0e3221a966487d9a8d6b572e8cd24672a2f589ff23074e3b6d3b60d79d609ba31

  • SSDEEP

    3072:jkszWOITsEL50jl7yVCOMaFLB+zzYTih+xs6HH6kr5LGErzn7NtSI:fzZZhOM4B+z0Tih+RH9NLG0rnh

Malware Config

Signatures

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Local\Temp\opera.exe
      "C:\Users\Admin\AppData\Local\Temp\opera.exe" -gm2 /silent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
        C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe -gm2 /silent --server-tracking-blob=M2I0MjE0Mzc0YTExNGIzYjllYzRhNTViMjAwMjY3NjY5ZTAxNWFmYTExNTNjZDAxYjI3ZDllOThiNTA0ZjIwZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJ0aW1lc3RhbXAiOiIxNzUxNjUxODI3Ljk2NjQiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik5JX2NhbXBhaWduIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJhbHcifSwidXVpZCI6Ijg2ZjMyMmJkLTNjOTItNDRjYy05MDY2LWU4YjZjOTM3ZjVmYyJ9
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
          C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ffc195aacc8,0x7ffc195aacd4,0x7ffc195aace0
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:5580
        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3528
        • C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=568 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_20250704175710" --session-guid=cfa7001f-ae18-48ff-81cb-4dde25e7a0c0 --server-tracking-blob="ZTU1NGMwNmRjZDk4YWE3MDI5NDc5ODJhZmE0N2IxYzZjNTBkNzg5MmEzMjM2MWExZmEyMGZkYzQ5YWU2MjMzNjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NTE2NTE4MjcuOTY2NCIsInVzZXJhZ2VudCI6Ik5TSVNfSW5ldGMgKE1vemlsbGEpIiwidXRtIjp7ImNhbXBhaWduIjoiTklfY2FtcGFpZ24iLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFsdyJ9LCJ1dWlkIjoiODZmMzIyYmQtM2M5Mi00NGNjLTkwNjYtZThiNmM5MzdmNWZjIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8808000000000000
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
            C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x290,0x294,0x298,0x260,0x29c,0x7ffc1880acc8,0x7ffc1880acd4,0x7ffc1880ace0
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4372
        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4652
        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
            "C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7c103c,0x7c1048,0x7c1054
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3008

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

          Filesize

          471B

          MD5

          75e48cbe4fb10be793d947d415d1cd8a

          SHA1

          02bf3664f1f3dab5fff8138f272f27a1ffa9c69d

          SHA256

          d2df970c30a798d2eaa1d45c8ca63c54e81b983f70198fac204e5c5e9032b0de

          SHA512

          5ebaa34b9132e93713e13d4bebb629b2859d61307bafd981ea41b7fe04346e98d5c74d433eb872db528d846c4507aace117bcd019312b675bd0ba8b42d117360

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

          Filesize

          412B

          MD5

          35fad44494a9bbd7429437c79732b35d

          SHA1

          52946bb60a15c7200bf29eab2f4422467175d8ec

          SHA256

          003f4e3358c551e6c5511530470b56ab6566c1d20315319979b8f1561b754a7d

          SHA512

          d40d6896c8304d5e9dd795d713504e91ea6d332011a324078e807acb0c600f3affbf15845c250a6dbe8a0f9f6fc52545a2d7c2434ee0ec4f74a49a89dd9a7a2b

        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\additional_file0.tmp

          Filesize

          2.5MB

          MD5

          4125c9a1d68d6f095316d878dce498c3

          SHA1

          d5a9de9d1d21dfbc6de97f2e7c34629f165f139a

          SHA256

          1faa84af9c9ee61d4550dc8a279434c3f0c9ebea44e6af27c5743af7c59e9ec3

          SHA512

          5dedc6658d786e572438a39a6aa2845881b0469620d2ffa1c228a2fed5b98aa25070bf9e263c25859519427371f7aff7c43705148e11c3f0b54832015813e1f9

        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

          Filesize

          2.1MB

          MD5

          4bf8672d6eecf868b0a0c2d683c35c96

          SHA1

          226f1f9fc47cc31ac1d68645a096dce1b9af7282

          SHA256

          18f66585e1a7ade0b7cbcfb85166b6ed88c07af404dc0cf799254d27bff35b30

          SHA512

          d54c2a95452f8576e8ee3d8baa9e50f493ec8786942ecc531238c91269d77454d7e6834bc06a486b75dd0fca5714a501d7a28873a383570096915c7561507dce

        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\dbgcore.dll

          Filesize

          166KB

          MD5

          2cf4691a651e3afc585f5227865e7dab

          SHA1

          3e6508820092c2553b36c32c638b64255c7d3a56

          SHA256

          fd4bbed8ee00d7f822358977dbdd217d9a9b6520c7c1a09da5ebf423e80ccbd6

          SHA512

          4d56799803092847e1600e5fff1121014419240e19b87f1a24f23295983bcd1fd171e87405d2f9aa2e8a3045b9f0f94965779c752856f0653d2516dcb41915c2

        • C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\dbghelp.dll

          Filesize

          1.7MB

          MD5

          5e88bb8a68114b6250413ea5b4bc3067

          SHA1

          9e595e9dfc5530afa875efa0f22f52bfc6eceb53

          SHA256

          bc3e01917c3973b4c3f6c1bae281db643fdea6d7c806fb9c404d714ad34036db

          SHA512

          2fb9ebbd204710f05a07dd9176deffc4898b1058b9e1462da6737520148955fe836de06105832700dc8d44759c61f7757a1907465a72b6b78a809de96a253da8

        • C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

          Filesize

          7.2MB

          MD5

          5aa3b05f75e59cef0ad11c2a91a00c4f

          SHA1

          ff061125a854ec3e3ec81e0bdfb6dfba9591ee88

          SHA256

          3e6a2e38a7efdd97b9e1d11eaa8ae7dfc38d53246c067553f8e349708dd4c18d

          SHA512

          92c9a97c08aac5e862946f54c429cf3e5341e09a0c26f91caab74d9e5598aecf35c93fafce56381c0c5d05ab5b34ec9808454a536dd19f20336ff0641d7298bf

        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_250704175709370568.dll

          Filesize

          6.6MB

          MD5

          d2607250e2382325859c6a3abe7fdbe1

          SHA1

          5f9fc893fe2fb45970980d501b47e0b5e206b3b4

          SHA256

          f358970157c32b572f69215adb47d0b4d3ca2ef8c81eaea7d4b4a3a34bd6db5c

          SHA512

          f47ae1737e140278d495810d49e9ac7d3735167683fb3455b161ca158536903d0266fcffc9979d7b8c610a53f5d07a9b554f56f97f76451c2a34834a9cd24be0

        • C:\Users\Admin\AppData\Local\Temp\nsz7928.tmp\inetc.dll

          Filesize

          58KB

          MD5

          34aafdcc9ba1a2acc6d6fe9ca347ac7b

          SHA1

          23a4f3ea483d8643d427b29ed92af8253c0d3e6b

          SHA256

          baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd

          SHA512

          1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

        • C:\Users\Admin\AppData\Local\Temp\opera.exe

          Filesize

          2.5MB

          MD5

          b629471987c90230fdd101fbc3f9dec1

          SHA1

          1d7fc085e9f6b83cb804548e9a48664bc1262335

          SHA256

          2c370e57cb836125d6fe0c7d1475c0a056d514489e37ca276d277dad5ca5a3f6

          SHA512

          3d87098bce72dc1f88e6a376f3dfaa6ad4a954c5a4f34768e8f089e0399230a039f0fed261635e60c6274956f0727d8e704a7fb9c5be95baf5d3d01e1e14609a

        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

          Filesize

          40B

          MD5

          04d440a03ff86007d964ac831847d0dd

          SHA1

          9db68af0bfd5d3000decc940676c77413afcfe98

          SHA256

          4f915fe6af633287480caedac56c6d9520e72bc1d4e384dc1d2ec457e523c712

          SHA512

          6c987564641d4b27062edd099b3f8443f69327d7030d4e215a5e9887cd800031f46e18e643914ab5d8ad2c1757d92d096b951b27cb62cbf06f1f925776519c46