fd84148426c6188c0bdec2e66d1f4fda9392342adb0c225d64aaacce24ce8653

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

firefox32.exe
Size

62KB
MD5

866604f3adb9207e29505012215f203f
SHA1

718b342c3bc42f3e73c4014c2b105c4d467b0ba6
SHA256

978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9
SHA512

cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79
SSDEEP

768:nJ+norJ8u1A9lYYoEXVY8Vb4AitlW+j6O+5X3BJLkgpPpyI933jNdTfpLPvTMuO3:J1l+UMVUjWd/3ptl3jNdf5v7O3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

firefox32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firefox32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

firefox32.exe

description	pid	process	target process
PID 2656 wrote to memory of 2756	2656	firefox32.exe	cmd.exe
PID 2656 wrote to memory of 2756	2656	firefox32.exe	cmd.exe
PID 2656 wrote to memory of 2756	2656	firefox32.exe	cmd.exe
PID 2656 wrote to memory of 2756	2656	firefox32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\firefox32.exe
"C:\Users\Admin\AppData\Local\Temp\firefox32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\firefox32.bat "C:\Users\Admin\AppData\Local\Temp\firefox32.exe""
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\firefox32.bat

Filesize
55B

MD5
45447274a66eaafa5a87903f0b075f67

SHA1
ba2f083a4a6dc322c86ff1cb64440f25e43a4a36

SHA256
1419149136cfa6c40efb3585eb9ca2189ade06f2902b9db7d077b48362b0fdff

SHA512
109b999cc6ee756c3073bf3b85a4fff69ecf4edb5b4ffd27808a291cf0513f9c43706692a4eece2faa059137abdc6b1829c535836cdeb6586fc2ea9863c06cd9

Download Submit