Analysis Overview
SHA256
6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018
Threat Level: Likely malicious
The file 6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018 was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:10
Reported
2024-04-06 22:13
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\tbckyxk.exe | C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\newtrln.dll | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 1696 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 2116 wrote to memory of 1696 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 2116 wrote to memory of 1696 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 2116 wrote to memory of 1696 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe
"C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\tbckyxk.exe
C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
Network
Files
memory/1932-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1932-1-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1932-2-0x0000000000270000-0x00000000002CB000-memory.dmp
memory/1932-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\tbckyxk.exe
| MD5 | d50b2357fb78539f40b1929e245afcc2 |
| SHA1 | 6e8052f362ee9a6e71828fcf293152144e1a504e |
| SHA256 | 25b6dca56babd510db4d46913945915d43a84dbd78a1596c82e8213ad688f3c4 |
| SHA512 | 48aa8065258a5eea2796c2bb6adc31f8173abdd99e82429c7e5ab023cd82519fc7cc44fef57f593538ccd8671c5ce30f98ea699c28c6fceade7527efcdcfe539 |
memory/1696-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1696-8-0x0000000000330000-0x000000000038B000-memory.dmp
memory/1696-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1696-11-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:10
Reported
2024-04-06 22:13
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
127s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\gfuniul.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\gfuniul.exe | C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\kzlcazd.dll | C:\PROGRA~3\Mozilla\gfuniul.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe
"C:\Users\Admin\AppData\Local\Temp\6faf737e7f73a933153215ee35c3a0e26de0fdbfb76470b615240f1ba7f7b018.exe"
C:\PROGRA~3\Mozilla\gfuniul.exe
C:\PROGRA~3\Mozilla\gfuniul.exe -lfdzfzd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
memory/4860-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4860-1-0x00000000021F0000-0x000000000224B000-memory.dmp
memory/4860-2-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4860-7-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4920-6-0x0000000000400000-0x000000000045E000-memory.dmp
C:\PROGRA~3\Mozilla\gfuniul.exe
| MD5 | b77dc2bcb2e8882dbd83c31afd2a81e9 |
| SHA1 | 40acb57e86dc9fe2aeb269eaa5de4e99dd960065 |
| SHA256 | a70d18e310394ac54c4d90fe3f9ceb7ea41b3ff561620a8799b70fdc642591a9 |
| SHA512 | 29d603eb3852ae628b3146c24b3fcc717d5a821983b7d1fd0c2d90204fa5da50d08be6bf85dd350ae7257d930c9e5cc82e91120675ecd95c498fb39e2a68ec13 |
memory/4920-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4920-9-0x00000000004E0000-0x000000000053B000-memory.dmp
memory/4920-12-0x0000000000400000-0x000000000045B000-memory.dmp