Overview

overview

5

Static

static

5

Firefox Installer.exe

windows11-21h2-x64

5

Resubmissions

16/03/2025, 11:13

250316-nbgmmsspw8 5

16/03/2025, 11:03

250316-m5yycayzby 10

Analysis

  • max time kernel
    60s
  • max time network
    47s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/03/2025, 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Firefox Installer.exe

  • Size

    364KB

  • MD5

    025551325e469abe4a751c806462b07e

  • SHA1

    4a3c205fa140a5b3ed0c969480287331209d818b

  • SHA256

    e46d78ad160f9ab85aac4246531fd3dd669006cddb8ed0dc23feec8b4621fb5b

  • SHA512

    cf9abb7c810535699fcbd395ce4bf7866290737f4af4a117b875304a18ce135baffccea3658fd6b5967de3bc48a38ec96e1f5049acc05ef27c3628fdb792ce53

  • SSDEEP

    6144:qaVWdyzOxeA1DfdwX3MmIO2NtxHjoRpFiX+piFDcCzJdAyzs5lSsZdpqkvfGE6wu:qMROxdDfOnMmXQthj+sJIGs5jZdcPTF

Score
5/10
discoveryspywarestealerupx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 24 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5808
    • C:\Users\Admin\AppData\Local\Temp\7zS0B698C07\setup-stub.exe
      .\setup-stub.exe
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 2580
        3⤵
        • Program crash
        PID:5064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 136 -p 2544 -ip 2544
    1⤵
      PID:5000
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2424
      • C:\Users\Admin\Desktop\Firefox Installer.exe
        "C:\Users\Admin\Desktop\Firefox Installer.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Users\Admin\AppData\Local\Temp\7zSC5061AC7\setup-stub.exe
          .\setup-stub.exe
          2⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:5660
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 2416
            3⤵
            • Program crash
            PID:2612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5660 -ip 5660
        1⤵
          PID:6136
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          1⤵
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:244
        • C:\Users\Admin\Desktop\Firefox Installer.exe
          "C:\Users\Admin\Desktop\Firefox Installer.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1532
          • C:\Users\Admin\AppData\Local\Temp\7zSCF500BE7\setup-stub.exe
            .\setup-stub.exe
            2⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:5352
        • C:\Users\Admin\Desktop\Firefox Installer.exe
          "C:\Users\Admin\Desktop\Firefox Installer.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Users\Admin\AppData\Local\Temp\7zS83B90BD7\setup-stub.exe
            .\setup-stub.exe
            2⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:4796
        • C:\Windows\SysWOW64\werfault.exe
          werfault.exe /h /shared Global\13d94f4b42f54b29a6e6a15934b05860 /t 2052 /p 4796
          1⤵
            PID:652

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
            Filesize

            1KB

            MD5

            11f835908c4bd88ef41db6eec675d4aa

            SHA1

            5bfff4840fc2a662ffb223f75e3c8042b949a1c9

            SHA256

            ce18c8f5fedd93a0de947bb987bcfe380e5b6528ddb744915c58247109585fd3

            SHA512

            de2ea6f7865356b4f50946cdf36fd89a7d9c5fd9396ccc07f7dd02d01fe65828ff92e1cf2a89a1ea19c9a1eee6a9a55aaace8b3a42a5b1968e675f92a9c08f94

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
            Filesize

            1KB

            MD5

            d0073a68c73a3adf2cb98da3d007517b

            SHA1

            8433f95c4e08028174a2908a775e59ad56b506bc

            SHA256

            02c56d9c04f75cc6b89e8e837b62f1fa8971a742aba4f7a347e60cce8851d843

            SHA512

            c69e927b43c713b5dea8c73e93f4dc8766c146e265e1f6ac556bbe8db2e530bf6a5f192a8f972bdae1ee77e9072d19c910c890f40fe0a04a1cb728fb7bc38669

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
            Filesize

            434B

            MD5

            3c1baf2f0cdeee27ebd6efec4edf84a6

            SHA1

            d04deaeaf4802834f174cbb52ce599d651902d26

            SHA256

            c741ef4ff607d279b886f8568732c0d6fae1c7653679ec560c19aefabad8cf56

            SHA512

            6a251a862615db2d690dba4c8af7c2a9db7f0a13e19c8da867f8c8198b5fb20e99eb034fd3536f1f5b86229ef137985fe9ec5e5dbf825f9e1916cb37f52173f6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
            Filesize

            432B

            MD5

            6ce8530e3fd36aa64ca89a0cdcf27f34

            SHA1

            a5ea387a7019c310747327efd5826e33fc95aa6a

            SHA256

            bf53b48d501a60a5bf562d992890fa70e02024f3312144f32023275d3489766b

            SHA512

            59d20d6896b6ccefa5e555c4887d01a18a6089d9975ada24cf37167985f1bd1347b2f9b0224a6d0dd6392904e6d9981eb506156d9ae2ba425ea4f0d89efc9481

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zS0B698C07\setup-stub.exe
            Filesize

            631KB

            MD5

            e31b811102ad5e3766d3fc267c1563fe

            SHA1

            ef1299cd381b6cfe98518f98be1fb037fe0732d4

            SHA256

            7554d258449d00e5a375eca19e98ea2d1ffb75610caeca680d2fe327a2d89d15

            SHA512

            2c936a6ac51c5c246dc9ec14618dcc504b01ed54df1a3e594369368187d2deaf6e79d8a0dfca1cd9b7fa3539464fd3772aaba77f73b2c69515093684376c6974

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsi9BD3.tmp\bgstub.jpg
            Filesize

            66KB

            MD5

            c55f15ceedc724d6c6e15d1daf96b698

            SHA1

            af6bf647d708ca7a5377925d521097b67a269ae8

            SHA256

            4b7e441d51b790ee1c0baff19e4e968392a937877dfa8b84e74464f5ba7a4cf4

            SHA512

            05ccf388364d511ce3da14c9013b9a9128c16044713f19bb752c053ec7ec25cb3b47600b23ae6de7c8a62d817fa03ea4bd9c95fa6abfb0714bb3dcbba56de75d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsi9BD3.tmp\installing_page.css
            Filesize

            1KB

            MD5

            6582e207592b60a995b4510cf959eb03

            SHA1

            08afdebde481b653e04f89bedad0cba6c8dbd999

            SHA256

            43c38801c1746880625f97eee3fe37fe94d1300adf812bfe26e47b094b87523b

            SHA512

            0a5a5ce944b89f552a38300674c44cc9de4920e87c2aa2c3c63bbceedff1d80ab35ab31274bfa89e0acc518470f466a2d67d483147f2ca8061d68b770e2ebe48

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsi9BD3.tmp\nsJSON.dll
            Filesize

            33KB

            MD5

            e832077eaee06f3b2ac9a8d2e7264567

            SHA1

            decbc329257c9c7fb67d3c449b4c5dfc1f87471f

            SHA256

            705f4947fb94254c4e5084e6a962045f6a4e790dfc1ecf59cd0fc3feb38bcbbf

            SHA512

            c1bada98c52ee2318d23c48fe202380eb42c5e1f18226cdc017f264c8c34f548bfe4d9b6eef13caae69ba321a71b199431b249fdec65f8bb1c386810932ccf6a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsi9BD3.tmp\stub_common.css
            Filesize

            684B

            MD5

            544b51f11ad19df720669478d28f129d

            SHA1

            d238b604fd3fa37dfd552eacdc6aacc474fcddad

            SHA256

            4d9495b6f0e18331659993b79440e414a6e607fcdaeacbc7477e0683cc0fa98b

            SHA512

            bbbb0f31839316c51464cfd225166145f968ce38995dc2748df5402b7e109ff6119d65b6774fc4738638ad4c9d89776516b00ab5a700097d9d74e1824a11dc5e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\CityHash.dll
            Filesize

            53KB

            MD5

            2021acc65fa998daa98131e20c4605be

            SHA1

            2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

            SHA256

            c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

            SHA512

            cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\InetBgDL.dll
            Filesize

            95KB

            MD5

            af9e2d138cf17b8ff4d4b8df7fddaefa

            SHA1

            539afa302bc5cae7022896048cb7a0f3f2ab6907

            SHA256

            3921dec014fadd1de7f3a36606ac95882a17cb96df38a5424e58531a169f825b

            SHA512

            631ad8bbb9eea42b230f2729714874c921677c4be91ac0b35ab9e7751613045eb249f8a0dd1d5ce06bf2cd544507795836dcbf42be79f01a71333570ea27c840

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\System.dll
            Filesize

            22KB

            MD5

            b361682fa5e6a1906e754cfa08aa8d90

            SHA1

            c6701aee0c866565de1b7c1f81fd88da56b395d3

            SHA256

            b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

            SHA512

            2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\UAC.dll
            Filesize

            28KB

            MD5

            d23b256e9c12fe37d984bae5017c5f8c

            SHA1

            fd698b58a563816b2260bbc50d7f864b33523121

            SHA256

            ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

            SHA512

            13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\UserInfo.dll
            Filesize

            14KB

            MD5

            610ad03dec634768cd91c7ed79672d67

            SHA1

            dc8099d476e2b324c09db95059ec5fd3febe1e1e

            SHA256

            c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

            SHA512

            18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\WebBrowser.dll
            Filesize

            103KB

            MD5

            b53cd4ad8562a11f3f7c7890a09df27a

            SHA1

            db66b94670d47c7ee436c2a5481110ed4f013a48

            SHA256

            281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

            SHA512

            bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\installing.html
            Filesize

            1KB

            MD5

            b2f87d34f34f96fb95861eb23cea6aa4

            SHA1

            34e42eb500a162d694f155b90e9f4f5e518b5081

            SHA256

            de8e76a2066602c34b4864c0db3aaeb71c11ec368398e00102139eb48b8908d4

            SHA512

            03332299cdf3a665443a6a41a01e691ae5945662e4cf4acd97a61e2f900807196711dc7af3958e4d8822c32441b5be96f2b735c571eca7b2914f13e0461ffcb2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\installing.js
            Filesize

            2KB

            MD5

            5d880454577d033215b9153e956ff37b

            SHA1

            d609bfabf790817e2624e538c1ccae8143731ec7

            SHA256

            254bd34973522c900b2c480186dd26d8885f448023dfba244af88726998c36c6

            SHA512

            13b27295b9707b9f0d9f41be3af67dd49b7bcf79b3e58b065e6bc55f7eb59f9c8f79fff2126355748c14a16a9f1a884c2040bb196630e39cb51f9b4d1642ffe3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsr4BA0.tmp\stub_common.js
            Filesize

            815B

            MD5

            efce3dce0165b3f6551db47e5c0ac8d6

            SHA1

            1e15f6bb688e3d645092c1aa5ee3136f8de65312

            SHA256

            dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

            SHA512

            cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nssCCB7.tmp\firefox_versions.json
            Filesize

            711B

            MD5

            207d6edf611c1b7cf5340bc8fcd4a6cb

            SHA1

            1c6cc0c1f30605ee47005c634077e985394a8dc4

            SHA256

            8770ab942f3b34b34f4470c1bb881de9e4c5c4820a56488ae991d556abc74d25

            SHA512

            fc9bff9de8701dd58d2baeba8a81c8873037b671a4f7ff9048c844d7a723714a294efc7a98546a2568d5293bb53c476045ef40702394ad306aaab858bafc196d

            Download Submit

          • memory/244-156-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-149-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-148-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-147-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-159-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-158-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-157-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-154-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-155-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/244-153-0x000001E67CA20000-0x000001E67CA21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4188-73-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/5808-0-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/5808-72-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download