Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-12z8wscd81
Target 6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9
SHA256 6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9

Threat Level: Likely malicious

The file 6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:09

Reported

2024-04-06 22:12

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gjsfhjk.exe C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe N/A
File created C:\PROGRA~3\Mozilla\eurgebe.dll C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2192 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2192 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2192 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe

"C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D122CE25-E8EE-4924-875F-E5B3667417C0} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\gjsfhjk.exe

C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl

Network

N/A

Files

memory/2860-0-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/2860-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2860-3-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\gjsfhjk.exe

MD5 69d388dd84f7ac5bfa6237a289879a57
SHA1 a1316cd35337e8fd13d19996a725f75ae5769b94
SHA256 dc184cbb772177ca143deaef8912838c5e324ed7d04a9cafed3532a8b9d16757
SHA512 3464753e3c2f288091902c4c65d80f7ad9a6cf1cacf73bd21bbcb8a3f64ddff348d31033c1cba7cba4d54a144babe619df4eddb3a4830d3db296a61aed4922fa

memory/1572-6-0x0000000000460000-0x00000000004BB000-memory.dmp

memory/1572-7-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1572-9-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:09

Reported

2024-04-06 22:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\qhdqeom.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\qhdqeom.exe C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe N/A
File created C:\PROGRA~3\Mozilla\ijdurdi.dll C:\PROGRA~3\Mozilla\qhdqeom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe

"C:\Users\Admin\AppData\Local\Temp\6f02d76e6e3cb27742bc512c15908d45f14d2e6d06cd93e3084d6a95cf3b7de9.exe"

C:\PROGRA~3\Mozilla\qhdqeom.exe

C:\PROGRA~3\Mozilla\qhdqeom.exe -tgbfvga

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3860-0-0x00000000021F0000-0x000000000224B000-memory.dmp

memory/3860-1-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\qhdqeom.exe

MD5 81a859a4555243ca8a0eb81aa4b1cc2d
SHA1 b9f1c2d14e099a38e10cd848b39edfd1ee9df080
SHA256 a505cfa083d0099ac5336eb1ec0baf8fc1a23973b3d49084712bb4b78bf9fb65
SHA512 fe3ee815f665c3ceaef328befd5dcaf914a2e520900c741e4079bc030c24388693245b67a05cbb861321b2a3ac1a8e0e17178ec1c35dec6cf6621fde5e6ce1ff

memory/3860-5-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2232-8-0x0000000000C50000-0x0000000000CAB000-memory.dmp

memory/2232-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3860-7-0x00000000021F0000-0x000000000224B000-memory.dmp

memory/2232-11-0x0000000000400000-0x000000000045B000-memory.dmp