cc00f4cf49623023e6a13a500fda644a1d39703677b2abe0b73b4ccdf7e87c93

Analysis

max time kernel
61s
max time network
63s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-01-2025 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chloride Tweaks Ultimate 2.0.0/5 Other/Installers/Firefox Installer.exe
Size

326KB
MD5

d60338c59ecaffe6f9f751b2bb9eafcf
SHA1

373e003b74b07a77a87e41e9b9ca0f32e39ae9a3
SHA256

972464b17879ccea70a7e9ecee522344c4866200c1d8a353a7e1d2bc82472246
SHA512

7c3e3f81d35bf847f85f381a5ddf5452b7fa58fb8619a6901274d87e0ef9cdb64542c6d62e38661d5b57323a62ed0cab2246e8884b2500cc631a7afc458b1754
SSDEEP

6144:PaVWdyzOxeA1DfdwX3MmIOgVLZGMcf9Vm0Sol+90Uv5RaWSck:PMROxdDfOnMmXgVV49E0Y97vLaWSN

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2456	setup-stub.exe

Loads dropped DLL 7 IoCs

pid	Process
2456	setup-stub.exe
2456	setup-stub.exe
2456	setup-stub.exe
2456	setup-stub.exe
2456	setup-stub.exe
2456	setup-stub.exe
2456	setup-stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/1928-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral7/memory/1928-91-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E3F.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E40.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E3F.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E41.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E42.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsz5E41.tmp\	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4996	2456	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-stub.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2456	setup-stub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2456	setup-stub.exe
2456	setup-stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2456	1928	Firefox Installer.exe	81
PID 1928 wrote to memory of 2456	1928	Firefox Installer.exe	81
PID 1928 wrote to memory of 2456	1928	Firefox Installer.exe	81

C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\5 Other\Installers\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\5 Other\Installers\Firefox Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\7zS8875F917\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2644
    3⤵
    - Program crash
    PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8875F917\setup-stub.exe

Filesize
465KB

MD5
fc7497c88efe011a67b98620d6d83086

SHA1
daf9bf323801cc00e4160190a548f5a13c152c7c

SHA256
e349831d424cf9f8305f5a60e1561495aa4bb3eae8bd7554ae3273c0444daeb8

SHA512
3dda9afb2203d943b6b248885191beba3c74cfed0bef580ad6276a127633e313a68442dc03628eb307ee708e9bb97187c482ee1cc44f3ff5cd58022fd7c5eb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\CityHash.dll

Filesize
43KB

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\UserInfo.dll

Filesize
4KB

MD5
61ecfcdd332cb31d32c6c019052834a2

SHA1
6de38d0c8991d349d29c208e98c44dbd02682f43

SHA256
910749b3dbf360b06cec386ef2133edf07612f6e5bbf3bdd0a4eaeb27db9ce08

SHA512
e1f8cea77a39628116dd05c8a8c1c149f254265bd4ffa36880251254e3e921619048620e8e61d3f299503528e2d54ccb8e181a075c01c94e3a4916fe1a152393

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\WebBrowser.dll

Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\bgstub.jpg

Filesize
66KB

MD5
c55f15ceedc724d6c6e15d1daf96b698

SHA1
af6bf647d708ca7a5377925d521097b67a269ae8

SHA256
4b7e441d51b790ee1c0baff19e4e968392a937877dfa8b84e74464f5ba7a4cf4

SHA512
05ccf388364d511ce3da14c9013b9a9128c16044713f19bb752c053ec7ec25cb3b47600b23ae6de7c8a62d817fa03ea4bd9c95fa6abfb0714bb3dcbba56de75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\installing.html

Filesize
1KB

MD5
32de55f44c497811dd7ed7f227f5c28d

SHA1
c111be08e7f3d268e7a2ed160d0c30833f25ae4a

SHA256
6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

SHA512
48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\installing_page.css

Filesize
1KB

MD5
6582e207592b60a995b4510cf959eb03

SHA1
08afdebde481b653e04f89bedad0cba6c8dbd999

SHA256
43c38801c1746880625f97eee3fe37fe94d1300adf812bfe26e47b094b87523b

SHA512
0a5a5ce944b89f552a38300674c44cc9de4920e87c2aa2c3c63bbceedff1d80ab35ab31274bfa89e0acc518470f466a2d67d483147f2ca8061d68b770e2ebe48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\stub_common.css

Filesize
684B

MD5
544b51f11ad19df720669478d28f129d

SHA1
d238b604fd3fa37dfd552eacdc6aacc474fcddad

SHA256
4d9495b6f0e18331659993b79440e414a6e607fcdaeacbc7477e0683cc0fa98b

SHA512
bbbb0f31839316c51464cfd225166145f968ce38995dc2748df5402b7e109ff6119d65b6774fc4738638ad4c9d89776516b00ab5a700097d9d74e1824a11dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1928-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download