2253320a3a18026f312a4a387fb41787e3ce525b52496c39552ba19b04c8708d

Resubmissions

02-10-2024 15:58

241002-teqmlsvdkm 5

02-10-2024 15:57

241002-tedcaavcrn 5

Analysis

max time kernel
12s
max time network
10s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox Installer.exe
Size

363KB
MD5

8e9cfdeb626b59cff3714e7b7a70b784
SHA1

23ad0734b40ddbf12360b41bf06caec354c9e012
SHA256

2253320a3a18026f312a4a387fb41787e3ce525b52496c39552ba19b04c8708d
SHA512

8a7684168d4ae996b1c30fc96a06376dad4c02a72cadea52f8f841821b1c36f01399302ee1c7b684f7a7aed90a0bbcd61bc8ae6916bab15f6e1d21448762f5b7
SSDEEP

6144:7aVWdyzOxeA1DfdwX3MmIOgWqbI52i3cxXl0RLWURVxI+N1mtWqMVmfeCUg4EIg:7MROxdDfOnMmXP0TcRZJjmooxIg

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2444-18-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Executes dropped EXE 1 IoCs

pid	Process
1280	setup-stub.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	Firefox Installer.exe
1280	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C690F91-80D7-11EF-AC29-D6FE44FD4752} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2696	iexplore.exe
2696	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 2444 wrote to memory of 1280	2444	Firefox Installer.exe	30
PID 1280 wrote to memory of 2696	1280	setup-stub.exe	31
PID 1280 wrote to memory of 2696	1280	setup-stub.exe	31
PID 1280 wrote to memory of 2696	1280	setup-stub.exe	31
PID 1280 wrote to memory of 2696	1280	setup-stub.exe	31
PID 2696 wrote to memory of 2576	2696	iexplore.exe	32
PID 2696 wrote to memory of 2576	2696	iexplore.exe	32
PID 2696 wrote to memory of 2576	2696	iexplore.exe	32
PID 2696 wrote to memory of 2576	2696	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\7zSC89CE327\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
df8a30398821a8de2c7f5d060a4f9edd

SHA1
564dc708912141c8b4d40f4eb22b9fb8588e3116

SHA256
000d738f352f3b990da9a9b777dbbec9926e62e9a21871d015e222ee2a0b51e7

SHA512
ec97faa412fea0a066af8fad3b179192a3dfc00177aaca62f05edfab43487ceefbc1b959fb3233777844b51dc31e1c622d6167fa33d56d28fc6af49bd0573b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f6d084f16e0fb538605fbef54d109c2

SHA1
c21603ba4355a04844a63b4defd0be9efa84fc35

SHA256
89cba7bbcaccba269694fdb36ad62a89088990d59c23044a6de7ac0e0c47ea7a

SHA512
e0f6c58aa0d6bb84d477ebcad76a7a12fc8135b1914a577098adf2e23b45278e1107abd286fc1114138d09d64443c363ea678f88ce73599b2f52ca18a3761056

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a91dc4f4f1163a591a304c10e6fd9fb3

SHA1
a058758551878d043288b94c89eabecf4519467c

SHA256
85b9530b43f377dea9c31b25f6e9d13ef6f8d4ab810bbedbdc3f70d7691022e0

SHA512
ccf0c1aba05288b027f7f69b5bf1e05eaa6d521dade115edcfaf427c92fcd82e606834164ca0c45cbff4918993f4217ea5dc6eb12008983c4891ab6160784e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9f6af02259d6b277210c912e075041a

SHA1
497cfee796ba43490f8d6f84badef86b5ae4acc2

SHA256
6ab3d97cb10a836ce0b651aaa15a9d88e7aaf488e333b9e70abc7fe56405cf74

SHA512
f825317ce34144667c75041f957b693e72e00d4d6458ebf526d59b9f9199e1098ba9e109c77093778a18b4e2ba700177d6fc6b7b28c4f3158d0a0c5556133618

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eecd4c88d1bdd5dd71fd4cd1a41cf83d

SHA1
b526dbdf296d56f7d25fa1f185cc8ec693584d34

SHA256
f518bfc20792a42ab19ae2eee386b59715bb1884d659f55cd63cf563dc253e51

SHA512
cb57bc4618673163ad42493669bfd5d9d67df049f45bab2ff4c57ebc2927d6c71251223833d6456dc14e6b705261d07895e2fb2df06a6efdbdcf08d420b26863

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
483b10bc786caedaa7a42f3cf02637f3

SHA1
f1eaace9fc65cf58ead1401b58484b8699e1d8fc

SHA256
b5773413953287a7e4ba6dbd23ee6aac65bdaa17a295b1e70cce3189c29fb7ef

SHA512
0157aae2b6dea0046e7a0fe54e2b88e379852dabfb9f3901a663e155a6cdfb4190178fb8ba538597dc60feac8bad932d6ec2d2eaf719f06179c9b25c8dc255ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fef2410b79a165b7fdac0bf01aaa116

SHA1
018a34b7305bf759bce03c5d9c577fdb6802e2a9

SHA256
a8ab17f1d8d6261c79ef56d199c111f6162c5a93ba8b1661fa3c74b195bdde2b

SHA512
5cc9c5caa333ee439e39162bfe429f94087909e486abc9c326a552589d73c827a65d973757c8d8bd99a47aa78435ed758eb6d4ecd19da2657fb624674c9cf992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
8KB

MD5
a8c811470fb861446f8ab59cbf4132de

SHA1
be519f4d9e5e5634de33e08b3ed032eb725d9860

SHA256
6b813f755adf04ba0ee3dd7d7dad01d4f2706adc2fd50812e066a7c6d77a2951

SHA512
1eee2c8ec1e766e17943f7ab3338088a03d01198bed03b38f27de3d69de7cc82f4c3156e63630ea3b370efbccfa6c1d3cacec4e33e417df0269f27dc093a21fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24F0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2551.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC89CE327\setup-stub.exe

Filesize
630KB

MD5
f117097319c87871100225bc370f7ad4

SHA1
d3e287b9abce80dda371b42c7b8f84417c5c2b13

SHA256
880684fa0ecbcfbe43d84dccb68a2904329ff6cab7723ad8f9b33dbeef35af33

SHA512
d6c04a4b144a0521618ac8658e29a5e8293b0372a82e2fc42f47679a93f89074d55d24ade8706271769a8abb9b954ff0a734407e81a1d2471d91fe0c525163d4

Download Submit
\Users\Admin\AppData\Local\Temp\nse649.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
memory/2444-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2444-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download