Malware Analysis Report

2025-08-05 21:21

Sample ID 240304-3heh7ahc63
Target a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4
SHA256 a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4

Threat Level: Known bad

The file a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Modifies AppInit DLL entries

Executes dropped EXE

ASPack v2.12-2.42

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 23:30

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 23:30

Reported

2024-03-04 23:33

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2992 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2992 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2992 wrote to memory of 2984 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe

"C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6494064D-41D5-4A06-9565-9ECA20CCDD9F} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/2648-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2648-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2648-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2648-3-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/2648-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2648-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2648-7-0x0000000000260000-0x00000000002BB000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 34ac307216774702e454df3fa7b1fbce
SHA1 c6eaa00f20deffd11f2bfa15641b714becf0eaf4
SHA256 9d04f9cd1f8d0ea52bbef222bf28d781221ac22f02b6f124d4861fee92064144
SHA512 f31593308e62a8608b94e9d31bcb6da1500c1ce4496ba9a8db3f4f44dc5331bd012d28e29cebdfc721787bd5eaaf6baf90556cee60945edb438949108c216f1f

memory/2984-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2984-13-0x0000000000290000-0x00000000002EB000-memory.dmp

memory/2984-14-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2984-16-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2984-17-0x0000000000290000-0x00000000002EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 23:30

Reported

2024-03-04 23:33

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\xrwomfe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\xrwomfe.exe C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe N/A
File created C:\PROGRA~3\Mozilla\xblkzla.dll C:\PROGRA~3\Mozilla\xrwomfe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe

"C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"

C:\PROGRA~3\Mozilla\xrwomfe.exe

C:\PROGRA~3\Mozilla\xrwomfe.exe -cybdupc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4968-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4968-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4968-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4968-3-0x0000000002210000-0x000000000226B000-memory.dmp

memory/4968-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\xrwomfe.exe

MD5 79407860a3d11558d74d616d4003b690
SHA1 26c048c7772478ca6003117f60e4e2da43263721
SHA256 813e78920520f6a20c5249648a9fe558bbb6e8a3e985569263eab38abfd909e7
SHA512 c73afe6a8c23e20bff1241f1149cce536d5e060fce2525fee2ff70b1bdb2aaf4a34f656e96d4bacc5b49baada598422a6c468be437ea03d4870281a7187c1feb

memory/4968-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4968-9-0x0000000002210000-0x000000000226B000-memory.dmp

memory/1572-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1572-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1572-13-0x0000000000C20000-0x0000000000C7B000-memory.dmp

memory/1572-14-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1572-17-0x0000000000400000-0x000000000045B000-memory.dmp