Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-13488sdb55
Target 6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc
SHA256 6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc

Threat Level: Likely malicious

The file 6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:11

Reported

2024-04-06 22:13

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1724 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1724 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1724 wrote to memory of 2196 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe

"C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {70A54601-AC19-4526-8E9D-A16A83B1501B} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/2112-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2112-1-0x00000000002F0000-0x000000000034B000-memory.dmp

memory/2112-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2112-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2112-5-0x00000000002F0000-0x000000000034B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 eac5fc0b522d38fef1935dac02861950
SHA1 d544fe63057c09b19ecca7bb8124b04110afe421
SHA256 75dcac8483af01fd31af9823e72a37db9b22d23bcb9d1f787cd309654659ba6c
SHA512 a2cde8dd78f27602c50101f7a4cfb6ef819b6f4f89d63cd3fed62ea6cc5231238e04269e0ad5dc10bbf396cfdc6e77c84e141e3a33b79717e62738908c08302c

memory/2196-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2196-9-0x0000000000850000-0x00000000008AB000-memory.dmp

memory/2196-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2196-12-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:11

Reported

2024-04-06 22:14

Platform

win10v2004-20240319-en

Max time kernel

137s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\jhifwqk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\jhifwqk.exe C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe N/A
File created C:\PROGRA~3\Mozilla\biclnte.dll C:\PROGRA~3\Mozilla\jhifwqk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe

"C:\Users\Admin\AppData\Local\Temp\6fecda4c6018d1a73a8c000b7b7ddbc492b6f08d9946e1a3a68d180e3e21b4cc.exe"

C:\PROGRA~3\Mozilla\jhifwqk.exe

C:\PROGRA~3\Mozilla\jhifwqk.exe -zmqutfb

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4276 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 172.166.92.12:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3700-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3700-1-0x00000000021F0000-0x000000000224B000-memory.dmp

memory/3700-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\jhifwqk.exe

MD5 5339b99f876b6c206f7b99606a3583d2
SHA1 7df484560879171141709814abd64b6942a4f23c
SHA256 223763965daa2aa027e6504121bb1f64ce6dd6a7b5d3e3c6ecefc50ad545ddad
SHA512 a6975149021637e054c1eb7702483c014053ffe49bf718dd30c7de6dbcce87773daf106e48416ed7ad0126b2c2ab01b0eae6f829c886b8260509cf69f9614393

memory/4676-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4676-7-0x0000000000C20000-0x0000000000C7B000-memory.dmp

memory/3700-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4676-11-0x0000000000400000-0x000000000045B000-memory.dmp