analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OperaGXSetup.exe

Full analysis: https://app.any.run/tasks/4e4f35b5-ead3-433b-ba6b-109f70a27006
Verdict: Malicious activity
Analysis date: March 31, 2023, 19:39:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

2D1079B9CB21A2CDB56799C2601A4F57

SHA1:

DE7642E21B26CD2110B5587C5BABE6D3E913808D

SHA256:

0F7C489C79CFFBD581CFBB32FB066C223F8DE1FF30F71E129D0F4DE34ED532AB

SSDEEP:

98304:vPxoH1bw2wniA9q7hbBLKeqV9PdDOAz9ulhDAtmLPUFOOY961QdOjcXSnoJQ:vJcb+Zq7hbyVbPtmhOGOtT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • OperaGXSetup.exe (PID: 2668)

    • Executable content was dropped or overwritten

      • OperaGXSetup.exe (PID: 3060)
      • OperaGXSetup.exe (PID: 3116)
      • OperaGXSetup.exe (PID: 2668)

    • Reads the Internet Settings

      • OperaGXSetup.exe (PID: 2668)

    • Starts itself from another location

      • OperaGXSetup.exe (PID: 2668)

    • Checks Windows Trust Settings

      • OperaGXSetup.exe (PID: 2668)

    • Reads settings of System Certificates

      • OperaGXSetup.exe (PID: 2668)

    • Reads security settings of Internet Explorer

      • OperaGXSetup.exe (PID: 2668)

  • INFO

    • Checks supported languages

      • OperaGXSetup.exe (PID: 2668)
      • OperaGXSetup.exe (PID: 3060)
      • OperaGXSetup.exe (PID: 3116)

    • The process checks LSA protection

      • OperaGXSetup.exe (PID: 2668)

    • Reads the computer name

      • OperaGXSetup.exe (PID: 2668)

    • Create files in a temporary directory

      • OperaGXSetup.exe (PID: 3060)
      • OperaGXSetup.exe (PID: 2668)
      • OperaGXSetup.exe (PID: 3116)

    • Creates files or folders in the user directory

      • OperaGXSetup.exe (PID: 3060)
      • OperaGXSetup.exe (PID: 2668)

    • Checks proxy server information

      • OperaGXSetup.exe (PID: 2668)

    • Reads the machine GUID from the registry

      • OperaGXSetup.exe (PID: 2668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

ProductVersion: 96.0.4693.127
ProductName: Opera GX Installer
LegalCopyright: Copyright Opera Software 2023
InternalName: Opera GX
FileVersion: 96.0.4693.127
FileDescription: Opera GX Installer
CompanyName: Opera Software
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 96.0.4693.127
FileVersionNumber: 96.0.4693.127
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5e2e70
UninitializedDataSize: 2588672
InitializedDataSize: 16384
CodeSize: 3584000
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2023:03:28 15:34:35+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Mar-2023 15:34:35
Detected languages:
  • English - United States
CompanyName: Opera Software
FileDescription: Opera GX Installer
FileVersion: 96.0.4693.127
InternalName: Opera GX
LegalCopyright: Copyright Opera Software 2023
ProductName: Opera GX Installer
ProductVersion: 96.0.4693.127

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0078
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0x0000
Initial SS value: 0x0000
Initial SP value: 0x0000
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000078

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 28-Mar-2023 15:34:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00278000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00279000
0x0036B000
0x0036A200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.7771
.rsrc
0x005E4000
0x00004000
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.30527

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.34927
978
Latin 1 / Western European
English - United States
RT_MANIFEST
132
5.27193
40
Latin 1 / Western European
English - United States
TXT
140
7.69054
11540
Latin 1 / Western European
English - United States
TXT
141
7.46366
1267
Latin 1 / Western European
English - United States
PNG
142
7.43993
1508
Latin 1 / Western European
English - United States
PNG
143
7.57355
1792
Latin 1 / Western European
English - United States
PNG
144
7.68251
2370
Latin 1 / Western European
English - United States
PNG
145
7.70518
11540
Latin 1 / Western European
English - United States
TXT
146
7.74528
52724
Latin 1 / Western European
English - United States
TXT
147
7.70817
52724
Latin 1 / Western European
English - United States
TXT

Imports

COMCTL32.dll
KERNEL32.DLL
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start operagxsetup.exe operagxsetup.exe operagxsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2668"C:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe" C:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Version:
96.0.4693.127
Modules
Images
c:\users\admin\appdata\local\temp\operagxsetup.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\user32.dll
3060C:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=96.0.4693.127 --initial-client-data=0x178,0x17c,0x180,0x14c,0x184,0x6ceea4b0,0x6ceea4c0,0x6ceea4ccC:\Users\admin\AppData\Local\Temp\OperaGXSetup.exe
OperaGXSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Version:
96.0.4693.127
Modules
Images
c:\users\admin\appdata\local\temp\operagxsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3116"C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
OperaGXSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera GX Installer
Exit code:
0
Version:
96.0.4693.127
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\.opera\opera gx installer temp\operagxsetup.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9 744
Read events
9 692
Write events
52
Delete events
0

Modification events

(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2668) OperaGXSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
8
Suspicious files
16
Text files
0
Unknown types
8

Dropped files

PID
Process
Filename
Type
2668OperaGXSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_4951C995B7E4D893C4215525FE046100binary
MD5:25EEE5F200FBCBAB067290A070C1B983
SHA256:6D9871F82E7ACE3606B89EB5112099E4FBC45EBD6D74E9134777E8058B1E5F9C
2668OperaGXSetup.exeC:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.datbinary
MD5:0183B32A6640425DE97AA2CBD967DAA8
SHA256:42E9478FACB58A41EE17CF6860A707EC626DC867029FD414772BF95317138248
2668OperaGXSetup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2303311939189422668.dllexecutable
MD5:1CF4908922FF2DE82DFCC53695DB91CE
SHA256:D4504F4874884779CC23606A9B219E442AB38E49E9F8F7C7FFE8B51D45D76592
3060OperaGXSetup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2303311939191143060.dllexecutable
MD5:1CF4908922FF2DE82DFCC53695DB91CE
SHA256:D4504F4874884779CC23606A9B219E442AB38E49E9F8F7C7FFE8B51D45D76592
2668OperaGXSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565binary
MD5:F3235AA4C0FBB7602215BF6D1E257DDD
SHA256:DDC3F194EC7860FA6B34728432481542B227F4F1C708C6DE002E90C61CAD6223
2668OperaGXSetup.exeC:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exeexecutable
MD5:2D1079B9CB21A2CDB56799C2601A4F57
SHA256:0F7C489C79CFFBD581CFBB32FB066C223F8DE1FF30F71E129D0F4DE34ED532AB
2668OperaGXSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:EEA3E5E6993311D7CAEA322ECA95CF3F
SHA256:DFB994A6FAFD5C0670772CD1D3FE202698134FE6048E6F42F6FE03DF67239968
3116OperaGXSetup.exeC:\Users\admin\AppData\Local\Temp\Opera_installer_2303311939193803116.dllexecutable
MD5:1CF4908922FF2DE82DFCC53695DB91CE
SHA256:D4504F4874884779CC23606A9B219E442AB38E49E9F8F7C7FFE8B51D45D76592
2668OperaGXSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_4951C995B7E4D893C4215525FE046100der
MD5:4FF5005D657E2CF17B5501B004E8B0CD
SHA256:4729A41CABDF185EC4413ED883A4453FC4D9F991E63AB8E7B2EC867239DECA66
2668OperaGXSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565der
MD5:84B1F477C90DBEB15A36B2CCAC368A13
SHA256:00AF63B52D5AB007911925C905AF313AEFB5F6B61E8DFD17BED35ABF8B0786EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2668
OperaGXSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
2668
OperaGXSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAkWPlmkY2sM4Y0QWNg2lJM%3D
US
der
313 b
whitelisted
2668
OperaGXSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAonX%2BcE1u7LI9XNW0saTgQ%3D
US
der
471 b
whitelisted
2668
OperaGXSetup.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6feabe791fc9d3c
US
compressed
4.70 Kb
whitelisted
2668
OperaGXSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2668
OperaGXSetup.exe
82.145.216.16:443
features.opera-api2.com
Opera Software AS
NO
suspicious
2668
OperaGXSetup.exe
82.145.216.15:443
features.opera-api2.com
Opera Software AS
NO
suspicious
2668
OperaGXSetup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2668
OperaGXSetup.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2668
OperaGXSetup.exe
185.26.182.117:443
download.opera.com
Opera Software AS
unknown
2668
OperaGXSetup.exe
82.145.217.121:443
desktop-netinstaller-sub.osp.opera.software
Opera Software AS
NO
suspicious
2668
OperaGXSetup.exe
185.26.182.123:443
autoupdate.geo.opera.com
Opera Software AS
suspicious
2668
OperaGXSetup.exe
185.26.182.124:443
autoupdate.geo.opera.com
Opera Software AS
suspicious
2668
OperaGXSetup.exe
185.26.182.122:443
download.opera.com
Opera Software AS
unknown
2668
OperaGXSetup.exe
104.18.2.211:443
download5.operacdn.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
autoupdate.geo.opera.com
  • 185.26.182.124
  • 185.26.182.123
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
features.opera-api2.com
  • 82.145.216.16
  • 82.145.216.15
malicious
download.opera.com
  • 185.26.182.122
  • 185.26.182.117
whitelisted
download5.operacdn.com
  • 104.18.2.211
  • 104.18.3.211
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OperaGXSetup.exe